Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hello,

I'm trying to set a stronger DH group key size. SSL is something I've struggled with for a while, I just cannot seem to retain the information that I learn about it, so I apologize if some of the stuff I write here is incorrect.

I want to set a stronger DH group key size. My understanding is I can create a .pem file with a command like this:
Code:
openssl dhparam -out dhparams.pem 2048
But the problem I'm having is figuring out what to do with it afterwards. I tried setting
Code:
SSLOpenSSLConfCmd DHParameters /var/cpanel/ssl/installed/certs/dhparam.pem
in the pre-virtual host include file in WHM, but this fails. After reading the documentation on Apache's website, I see:
Code:
The set of available SSLOpenSSLConfCmd commands depends on the OpenSSL version being used for mod_ssl (at least version 1.0.2 is required)
Running CentOS 7, I have OpenSSL version 1.0.1e-fips 11 Feb 2013

How I can I apply this group key size globally to my site? For the main domain, all the subdomains, the cPanel services, etc?

Is something like:
Code:
cat dhparam.pem >>/var/cpanel/ssl/installed/certs/ www_example_com_b63d9_18fa7_1505665680_e6a716ef8c92bc174238c1c0f5d456bc.crt
the answer? I manually generate SSL certificates using Let's Encrypt.

Any suggestions on how to accomplish what I want to accomplish? I want the stronger key group because I believe it helps make my site a little more secure for visitors.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
But the problem I'm having is figuring out what to do with it afterwards. I tried setting
Code:
SSLOpenSSLConfCmd DHParameters /var/cpanel/ssl/installed/certs/dhparam.pem
in the pre-virtual host include file in WHM, but this fails. After reading the documentation on Apache's website, I see:
Code:
The set of available SSLOpenSSLConfCmd commands depends on the OpenSSL version being used for mod_ssl (at least version 1.0.2 is required)
Running CentOS 7, I have OpenSSL version 1.0.1e-fips 11 Feb 2013
Hello,

You'd need to wait until your system uses OpenSSL version 1.0.2 or newer before that value is supported. It's actually planned for CentOS 7.4. You can read more about it (CentOS 7.4) on the following post:

Why no support for HTTP 2.0?

Thank you.
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hello,

You'd need to wait until your system uses OpenSSL version 1.0.2 or newer before that value is supported. It's actually planned for CentOS 7.4. You can read more about it (CentOS 7.4) on the following post:

Why no support for HTTP 2.0?

Thank you.
So I need to wait for CentOS to add OpenSSL version 1.0.2 before I can use the dh key group 2048 stuff? Or before I can use the
SSLOpenSSLConfCmd? I knew the version of OpenSSL I have doesn't support the SSLOpenSSLConfCmd, but I didn't realize that meant I couldn't do the dhparam stuff some other way. I just want to make sure I'm understanding you correctly.

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

By default, the cipher suite provided in a default cPanel installation should result in Apache using a DH key size of 2048MB. Could you verify how you are checking the existing DH key size and seeing a lower value?

Thank you.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I saw it in WHM >> SSL / TLS >> Manage SSL Hosts. It showed a keysize less than 2048 and gave a warning, but it turned out it was something I did wrong. I created new subdomains (ipv4.example.com and ipv6.example.com) and set an IPv4 DNS A RR record for ipv4.example.com and an IPv6 DNS AAAA RR record for ipv6.example.com, but I didn't realize I wasn't creating the SSL certs properly for the two subdomains. I fixed that though.

The main reason for the post though was I wanted 4096 DH key sizes. I don't know why I was typing 2048 in the previous posts. Sorry about that. I know 4096 bits is currently impossible to break with our current technology, but years ago, I thought they said that about 1024 key sizes. I believe the technology current exists to break 1024 key sizes. I was just trying to future proof a bit, that's all. It's not really important at this point I don't think. Just figured if I could set 4096 key sizes and generate 4096 certs, I probably should.

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
The main reason for the post though was I wanted 4096 DH key sizes. I don't know why I was typing 2048 in the previous posts. Sorry about that. I know 4096 bits is currently impossible to break with our current technology, but years ago, I thought they said that about 1024 key sizes. I believe the technology current exists to break 1024 key sizes. I was just trying to future proof a bit, that's all. It's not really important at this point I don't think. Just figured if I could set 4096 key sizes and generate 4096 certs, I probably should.
Hello,

As I understand, the only way you can do this is to generate the key yourself with the openssl command, and then configure Apache to use it with an entry like this:

Code:
SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
However, it's not possible to use the above configuration value with Apache unless your system uses OpenSSL 1.0.2 or later. Thus, you'd need to wait until a newer OpenSSL package is installed on your system (the newer OpenSSL version is included with the upcoming CentOS 7.4). You may also want to vote and add feedback to the following feature request:

AutoSSL with 4096 bit option

Thank you.
 
  • Like
Reactions: Spork Schivago