View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Apache issue with "Client does not support DH parameters > 1024 bits"
Log in to Ask a Question

Apache issue with "Client does not support DH parameters > 1024 bits"

development

I have a Magento website that uses 3rd party software to update the products on there, and I moved the site from another host to a Linode server that's running Debian 7 with Apache and MySQL.

However, the developers of the software have told me that their software can't connect. The error message is "Client does not support DH parameters > 1024 bits".

I've upgraded Apache to 2.4.18, OpenSSL to 1.0.2 and have added the "SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"" to the Virtual host file for the website. However, testing the site on the Qualsys website still delivered the "Client does not support…" error.

So what can i do or have I missed anything?

2 Replies

You are currently using a 4096bit DH parameter file, you would have to regenerate one for 1024bit or the developers will have to upgrade (sounds like they are using Java 6.0, if so try Java 7.0). Because this will reduce the level of security of your TLS configuration.

You can regenerate this file

openssl dhparam -out dhparam.pem 1024

1024-bit DH is not secure. It's likely that 1024-bit DH using common parameters is broken by billion-dollar sigint agencies; using custom parameters as dayotn967 suggested, they'll never bother with you, but they could. (Legal orders are cheaper than supercomputer time.)

You should tell your third-party "friends" to stop using garbage obsolete crypto in garbage obsolete Java versions.

Java 8 supports up to 2048-bit DH, which is large enough to be secure, though not as slow and hipster as 4096 bits.

Java 7 and newer also support ECDHE cipher suites, which are better in almost every way. (You should ensure they're enabled on your server.)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct