Why specify ssl_dhparam in nginx config? What is the risk if it is removed from the config?

V

VITYA-XY12021-05-06 10:47:14

Nginx

VITYA-XY1, 2021-05-06 10:47:14

Now about ssl_dhparam /etc/pki/nginx/dhparam.pem; - this is necessary for us to earn Forward Secrecy. Forward secrecy means that if a third party learns any session key, then it can only access data protected only by this key. To maintain perfect forward secrecy, the key used to encrypt the transmitted data must not be used to derive any additional keys. Also, if the key used to encrypt the transmitted data was derived from some other key material, that material should not be used to derive any other keys.

This explanation is completely incomprehensible to me.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vamp, 2021-05-06
@VITYA-XY1

dhparam is a prime number used in the Diffie-Hellman algorithm to exchange session keys with the client.
Specifying ssl_dhparam makes the family of DHE/EDH algorithms available for use in nginx. Just those that use Forward Secrecy, which are written in your quote. In a nutshell, when using algorithms with FS, an attacker will not be able to decrypt the intercepted traffic, even if he takes possession of the server's private key.
A small value of this prime number allows a logjam attack on TLS, so a large one should be generated. 4096 bits will be enough with a margin.
Command to generate dhparam file:

openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096

K

ky0, 2021-05-06
@ky0

This is not clear - start with underlying concepts, but at least in the same Wikipedia .