DEVHIDE
Login Or Sign up

Why/How does Apache auto-include "DHE" TLS1.2 ciphers while nginx needs "dhparams" file?

23 Views Asked by At

When doing some web site proxying of SSL web sites, I ran some tests using "sslscan" against the SSL setup of an NGINX site and an apache site. Both were set up to use the same certificate, key and CA, same cipher list, etc. The problem is that running sslscan against the apache site gave me extra ciphers for DHE (Diffie-Hellman Ephemeral) while the Nginx server didn't offer those up.

Looking into it further, I found that Nginx has a "dhparam" setting, which loads in a custom file (key pair) and if that is set then Nginx offers those same ciphers at the bit-length from the dhparam file.

.. But Apache doesn't have that setting, so it must auto-generate the key length based on the SSL certificate used? The certificates don't have any dh params entries in them anywhere.

So my questions are:

  1. Is this in the apache code? .. Where? .. I can find almost nothing documented except for this which kind of skims past it: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

  2. Perhaps it's something like this, or one of these groups - but wouldn't that lock the bit-length to whatever is compiled-in? https://wiki.openssl.org/index.php/Diffie-Hellman_parameters

  3. Why did Nginx not do this? From the readings I have done it is recommended NOT to do your own dhparam file - and openssl seems to have internal functions that might use internal built-ins? https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_tmp_dh_callback.html

Overall I'm confused as to why nginx opted to require more configuration to achieve the same ciphers (and that DHE ciphers seem to be better from the point of view that the session key is temporary and destroyed) so it seems odd to me.

sslscan <website>

Comparing the output of nginx to apache showed me difference in ciphers, leading me to find dhparams are not auto-performed in nginx... But where does Apache get them from?

Example:

sslscan duolingo.com
Version: 2.0.6-static
...
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
...

These extra DHE ciphers are available (the above only being 1024-bit, while mine are 2048). I expected Nginx to give the same ciphers as apache when configured the same.

2 previous topics in stack exchange confirm "dhparam" is required in nginx - but not why it needs it while apache doesn't.

apache nginx encryption openssl tls1.2
Original Q&A
0

There are 0 best solutions below

Related Questions in APACHE

Related Questions in NGINX

Related Questions in ENCRYPTION

Related Questions in OPENSSL

Related Questions in TLS1.2

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.