ssl_dhparam compatibility issues?

Grant emailgrant at
Sat May 23 15:39:38 UTC 2015

>> I'm using Mozilla's "Old backward compatibility" ssl_ciphers so I feel
>> good about my compatibility there, but does the following open me up
>> to potential compatibility problems:
>> # openssl dhparam -out dhparams.pem 2048
> DHE params larger than 1024 bits are not compatible with java 6/7 clients.
> If you need compatibility with those clients, use a DHE of 1024 bits, or
> disable DHE entirely.

My server is open to the internet so I'd like to maintain
compatibility with as many clients as possible, but I don't serve any
java apps.  Given that, will DHE params larger than 1024 bits affect
my compatibility?

If so, I believe a DHE of 1024 bits opens me to the LogJam attack, so
if I disable DHE entirely will that affect my compatibility?

- Grant

More information about the nginx mailing list