ssl_dhparam compatibility issues?
emailgrant at gmail.com
Sat May 23 15:39:38 UTC 2015
>> I'm using Mozilla's "Old backward compatibility" ssl_ciphers so I feel
>> good about my compatibility there, but does the following open me up
>> to potential compatibility problems:
>> # openssl dhparam -out dhparams.pem 2048
> DHE params larger than 1024 bits are not compatible with java 6/7 clients.
> If you need compatibility with those clients, use a DHE of 1024 bits, or
> disable DHE entirely.
My server is open to the internet so I'd like to maintain
compatibility with as many clients as possible, but I don't serve any
java apps. Given that, will DHE params larger than 1024 bits affect
If so, I believe a DHE of 1024 bits opens me to the LogJam attack, so
if I disable DHE entirely will that affect my compatibility?
More information about the nginx