nginx and ephemeral Diffie-Hellman keys
Igor Sysoev
is at rambler-co.ru
Sat Jun 14 08:09:13 MSD 2008
On Fri, Jun 13, 2008 at 11:13:37PM +0200, Jauder Ho wrote:
> Patch applied and testing now.
>
> >From reading the patch, it looks like the key is generated once. I did
No, not key itself but DH parameters, those will be used to generate DH keys.
> some more digging and reference
> http://mail-archives.apache.org/mod_mbox/httpd-cvs/200205.mbox/%3C20020530181716.22766.qmail@icarus.apache.org%3E
>
> Key should be changed out every so often.
>
> - o Diffie-Hellman-Parameters for temporary keys are hardcoded in
> - ssl_engine_dh.c, while the comment in ssl_engine_kernel.c says:
> - "it is suggested that keys be changed daily or every 500
> - transactions, and more often if possible."
Nevertheless Apache still uses hardcoded DH parameters and does not allow
to override them.
Actually both nginx and Apache use SSL_CTX_set_options(SSL_OP_SINGLE_DH_USE)
and OpenSSL generate new DH key during the negotiation.
BTW, while RSA-only case the only keys used in negotiation are
server certificate keys, those are not changed one year.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list