The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Change DH group key size?

Discussion in 'Security' started by Spork Schivago, Jun 23, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm trying to set a stronger DH group key size. SSL is something I've struggled with for a while, I just cannot seem to retain the information that I learn about it, so I apologize if some of the stuff I write here is incorrect.

    I want to set a stronger DH group key size. My understanding is I can create a .pem file with a command like this:
    Code:
    openssl dhparam -out dhparams.pem 2048
    
    But the problem I'm having is figuring out what to do with it afterwards. I tried setting
    Code:
    SSLOpenSSLConfCmd DHParameters /var/cpanel/ssl/installed/certs/dhparam.pem
    
    in the pre-virtual host include file in WHM, but this fails. After reading the documentation on Apache's website, I see:
    Code:
    The set of available SSLOpenSSLConfCmd commands depends on the OpenSSL version being used for mod_ssl (at least version 1.0.2 is required)
    
    Running CentOS 7, I have OpenSSL version 1.0.1e-fips 11 Feb 2013

    How I can I apply this group key size globally to my site? For the main domain, all the subdomains, the cPanel services, etc?

    Is something like:
    Code:
    cat dhparam.pem >>/var/cpanel/ssl/installed/certs/ www_example_com_b63d9_18fa7_1505665680_e6a716ef8c92bc174238c1c0f5d456bc.crt
    
    the answer? I manually generate SSL certificates using Let's Encrypt.

    Any suggestions on how to accomplish what I want to accomplish? I want the stronger key group because I believe it helps make my site a little more secure for visitors.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd need to wait until your system uses OpenSSL version 1.0.2 or newer before that value is supported. It's actually planned for CentOS 7.4. You can read more about it (CentOS 7.4) on the following post:

    Why no support for HTTP 2.0?

    Thank you.
     
    Spork Schivago likes this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    So I need to wait for CentOS to add OpenSSL version 1.0.2 before I can use the dh key group 2048 stuff? Or before I can use the
    SSLOpenSSLConfCmd? I knew the version of OpenSSL I have doesn't support the SSLOpenSSLConfCmd, but I didn't realize that meant I couldn't do the dhparam stuff some other way. I just want to make sure I'm understanding you correctly.

    Thanks.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    By default, the cipher suite provided in a default cPanel installation should result in Apache using a DH key size of 2048MB. Could you verify how you are checking the existing DH key size and seeing a lower value?

    Thank you.
     
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I saw it in WHM >> SSL / TLS >> Manage SSL Hosts. It showed a keysize less than 2048 and gave a warning, but it turned out it was something I did wrong. I created new subdomains (ipv4.example.com and ipv6.example.com) and set an IPv4 DNS A RR record for ipv4.example.com and an IPv6 DNS AAAA RR record for ipv6.example.com, but I didn't realize I wasn't creating the SSL certs properly for the two subdomains. I fixed that though.

    The main reason for the post though was I wanted 4096 DH key sizes. I don't know why I was typing 2048 in the previous posts. Sorry about that. I know 4096 bits is currently impossible to break with our current technology, but years ago, I thought they said that about 1024 key sizes. I believe the technology current exists to break 1024 key sizes. I was just trying to future proof a bit, that's all. It's not really important at this point I don't think. Just figured if I could set 4096 key sizes and generate 4096 certs, I probably should.

    Thanks!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    As I understand, the only way you can do this is to generate the key yourself with the openssl command, and then configure Apache to use it with an entry like this:

    Code:
    SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
    However, it's not possible to use the above configuration value with Apache unless your system uses OpenSSL 1.0.2 or later. Thus, you'd need to wait until a newer OpenSSL package is installed on your system (the newer OpenSSL version is included with the upcoming CentOS 7.4). You may also want to vote and add feedback to the following feature request:

    AutoSSL with 4096 bit option

    Thank you.
     
    Spork Schivago likes this.
Loading...

Share This Page