nginx and ephemeral Diffie-Hellman keys

Igor Sysoev is at
Sat Jun 14 08:09:13 MSD 2008

On Fri, Jun 13, 2008 at 11:13:37PM +0200, Jauder Ho wrote:

> Patch applied and testing now.
> >From reading the patch, it looks like the key is generated once. I did 

No, not key itself but DH parameters, those will be used to generate DH keys.

> some more digging and reference 
> Key should be changed out every so often.
>   - o Diffie-Hellman-Parameters for temporary keys are hardcoded in
>   -   ssl_engine_dh.c, while the comment in ssl_engine_kernel.c says:
>   -   "it is suggested that keys be changed daily or every 500
>   -    transactions, and more often if possible."

Nevertheless Apache still uses hardcoded DH parameters and does not allow
to override them.

Actually both nginx and Apache use SSL_CTX_set_options(SSL_OP_SINGLE_DH_USE)
and OpenSSL generate new DH key during the negotiation.

BTW, while RSA-only case the only keys used in negotiation are
server certificate keys, those are not changed one year.

Igor Sysoev

More information about the nginx mailing list