Add DH parameters note to policy_intermediate.conf (#212)

For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
2018-12-02 17:05:11 +01:00 · 2018-12-02 17:05:11 +01:00 · df23e0ba8c
parent 86d8ed33ca
commit df23e0ba8c
1 changed files with 9 additions and 0 deletions
--- a/h5bp/ssl/policy_intermediate.conf
+++ b/h5bp/ssl/policy_intermediate.conf
@ -13,9 +13,18 @@
 # Based on intermediate profile recommended by Mozilla.
 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
 #
+# (1) Diffie-Hellman parameter for DHE cipher suites
+#     A 4096 bits or more DH parameter is recommended.
+#     (!) A DH parameter generation is required to enable this directive.
+#         openssl dhparam -out /etc/nginx/dhparam.pem 4096
+#     https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
+#
 # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
+
+# (1)
+# ssl_dhparam /etc/nginx/dhparam.pem;