How can strong Diffie-Hellman key exchange parameters be supplied to the NodeBalancer?
While testing a NodeBalancer's SSL/TLS configuration using Qualys' SSL Server Test, a grade can be capped at a "B" if weak Diffie-Hellman key exchange parameters are found.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
If this is all that is keeping a TLS/SSL configuration from "A" or "A+" score, how can strong Diffie-Hellman key exchange parameters be supplied to the NodeBalancer?
2 Replies
The process involves two steps.
Step 1: Generating the strong key exchange parameters
The process to generate strong Diffie-Hellman key exchange parameters is documented on the linked weakdh.org site.
https://weakdh.org/sysadmin.html
From the linked guide:
… The simplest way of generating a new group is to use OpenSSL:
openssl dhparam -out dhparams.pem 2048
Step 2: Adding strong key exchange parameters to NodeBalancer
The command cited in Step 1 will create a file called dhparams.pem
. The contents of this file can be appended to your current "SSL Certificate" portion of the NodeBalancers TLS/SSL configuration.
$ cat example.crt dhparams.pem
The output of the above command will vary depending on a few things (for example, if you have a certificate chain), but the gist is the same. The contents of dhparams.pem
just need to be appended to your existing certificate.
An example of the output, and the format expected by the NodeBalancer, is as follows:
Note: Do not use the below values. They were generated solely for use in this example.
-----BEGIN CERTIFICATE-----
MIICmTCCAgICCQCI3QsyOasYEjANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMC
VVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTEVMBMGA1UEBwwMUGhpbGFkZWxwaGlh
MRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxFTATBgNVBAMMDEV4YW1wbGUgVXNl
cjEiMCAGCSqGSIb3DQEJARYTZXhhbXBsZUBleGFtcGxlLmNvbTAeFw0xODAzMjYx
MzUzMzRaFw0xOTAzMjYxMzUzMzRaMIGQMQswCQYDVQQGEwJVUzEVMBMGA1UECAwM
UGVubnN5bHZhbmlhMRUwEwYDVQQHDAxQaGlsYWRlbHBoaWExGDAWBgNVBAoMD0V4
YW1wbGUgQ29tcGFueTEVMBMGA1UEAwwMRXhhbXBsZSBVc2VyMSIwIAYJKoZIhvcN
AQkBFhNleGFtcGxlQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDV4QVqezdXRKlBGyqYZ1bA0Txe5QEgraLVXuok6raNh4G7sXPwl/w8nbAa
J4n8GYYvgT3QHUqrCZJDfAC7e/AhnHPvryI5LKLBAMCDt/YSQQ6x2QKd/5R5ltzV
3ByeCT2kSU+xRCBL4Pycz9NLvHon8wzh7td/SNxxBdLWi94SXwIDAQABMA0GCSqG
SIb3DQEBCwUAA4GBAALPST96qwfJzpCYsp2nqcVWg5VGim1q7oz4TdNV15Z1O+ov
q2631JKLEAtdc7kV0rSF7okHWmnVh9+ict2WCNFuCgq4vpqaVEUUuItRcsUV/1L2
D06ubz65JxOiRiZEAddau+Ir+wckvu/qmkG/jsqaoEkQzMU1sDuanUGZIg9U
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA2Sj/K9zGH0eg52XalmcO3md0w/nDI1Cr9afpCL6Mz0+HAUk3Rqf/
aAvxEoXMS0gs2EDRRz6W1uGtg3GP7ruZLIcucbL2ak08VTZcQ0TBm9Yhrm0EA0ra
JfveodiOzGtrKOrFnzQefM6hT23TNvcsZoi1RL0kMWY7uLb74ko0bgchE7eE3EBf
3pO2shEUbiI7TghMlzjEuu93HY+uDVNUQfdeNlLE9oIaOAfs8mTnkLRZrqipqDHI
/tpSt6Z6wtEV4DzDq7xiUkn04lm6RZJnDvgmU5DZzvjebFo8idD3ncM4L6aLnmuG
GCsPHg8aCXATZbgoWzZn6LnnN9trXuv2SwIBAg==
-----END DH PARAMETERS-----
This can be pasted into the "SSL Certificate" portion of the NodeBalancer's TLS/SSL configuration.
Link to NodeBalancer SSL Configuration, with photos of referenced field.
After following the above steps, https://www.ssllabs.com still gives our site the B rating, with the same warning of "weak Diffie-Hellman (DH) key exchange parameters". Is 2048 no longer considered strong enough?
Also, "The output of the above command will vary depending on a few things (for example, if you have a certificate chain)" is too broad a statement to be useful to anyone. In the scenario where a site has a certificate chain, which ours does, should dh parameters be placed after the site certificate and before the chain, or after the chain? Or does either work? I have tried both ways, with neither appearing to resolve the weak parameters issue.