How to use randomly generated 2048-bit Diffie-Hellman group in Apache httpd
Environment
- Red Hat Enterprise Linux (RHEL)
- httpd
- mod_ssl
- openssl
Issue
- How to specify Custom DH parameters
- How do I configure the server to use my own randomly generated 2048-bit Diffie-Hellman group?
- How to clear vulnerability reported as: "The server is using the following commonly used Diffie-Hellman primes", in Apache httpd?
Resolution
-
Generate 2048-bit Diffie-Hellman group file running this command:
$ openssl dhparam -out dhparams.pem 2048 -
In newer versions of Apache (2.4.8 and newer through 2.4.51) and OpenSSL 1.0.2 or later, specify
DHParametersfile as follows in/etc/httpd/conf.d/ssl.conf(and any custom files defining a secure VirtualHost). Note this method is no longer supported in 2.4.52+ per ASF BZ-65764:SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}" -
In older Apache versions (< 2.4.8) as well as latest (>2.4.52) append the generated
DHparamsto the end of certificate file.$ cat dhparam.pem >> certificate.pem -
Once httpd is restarted, the following message is logged if log level is set to
debugin/etc/httpd/conf.d/ssl.conf.[Mon Jun 01 14:50:59 2015] [debug] ssl_engine_init.c(987): Custom DH parameters (2048 bits) for 127.0.0.1:443 loaded from /path/to/your/certfile.crtRefer to How to modify Apache httpd logging for detail on setting log level.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments