Answer the question
In order to leave comments, you need to log in
Why specify ssl_dhparam in nginx config? What is the risk if it is removed from the config?
Now about ssl_dhparam /etc/pki/nginx/dhparam.pem; - this is necessary for us to earn Forward Secrecy. Forward secrecy means that if a third party learns any session key, then it can only access data protected only by this key. To maintain perfect forward secrecy, the key used to encrypt the transmitted data must not be used to derive any additional keys. Also, if the key used to encrypt the transmitted data was derived from some other key material, that material should not be used to derive any other keys.
Answer the question
In order to leave comments, you need to log in
dhparam is a prime number used in the Diffie-Hellman algorithm to exchange session keys with the client.
Specifying ssl_dhparam makes the family of DHE/EDH algorithms available for use in nginx. Just those that use Forward Secrecy, which are written in your quote. In a nutshell, when using algorithms with FS, an attacker will not be able to decrypt the intercepted traffic, even if he takes possession of the server's private key.
A small value of this prime number allows a logjam attack on TLS, so a large one should be generated. 4096 bits will be enough with a margin.
Command to generate dhparam file:
openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question