nginx and ephemeral Diffie-Hellman keys
is at rambler-co.ru
Sat Jun 14 08:09:13 MSD 2008
On Fri, Jun 13, 2008 at 11:13:37PM +0200, Jauder Ho wrote:
> Patch applied and testing now.
> >From reading the patch, it looks like the key is generated once. I did
No, not key itself but DH parameters, those will be used to generate DH keys.
> some more digging and reference
> Key should be changed out every so often.
> - o Diffie-Hellman-Parameters for temporary keys are hardcoded in
> - ssl_engine_dh.c, while the comment in ssl_engine_kernel.c says:
> - "it is suggested that keys be changed daily or every 500
> - transactions, and more often if possible."
Nevertheless Apache still uses hardcoded DH parameters and does not allow
to override them.
Actually both nginx and Apache use SSL_CTX_set_options(SSL_OP_SINGLE_DH_USE)
and OpenSSL generate new DH key during the negotiation.
BTW, while RSA-only case the only keys used in negotiation are
server certificate keys, those are not changed one year.
More information about the nginx