MEDIUM: ssl: Disable DHE ciphers by default
DHE ciphers do not present a security risk if the key is big enough but
they are slow and mostly obsoleted by ECDHE. This patch removes any
default DH parameters. This will effectively disable all DHE ciphers
unless a global ssl-dh-param-file is defined, or
tune.ssl.default-dh-param is set, or a frontend has DH parameters
included in its PEM certificate. In this latter case, only the frontends
that have DH parameters will have DHE ciphers enabled.
Adding explicitely a DHE ciphers in a "bind" line will not be enough to
actually enable DHE. We would still need to know which DH parameters to
use so one of the three conditions described above must be met.
This request was described in GitHub issue #1604.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 95d1177..a3f3e46 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1960,9 +1960,10 @@
which do not explicitly define theirs. It will be overridden by custom DH
parameters found in a bind certificate file if any. If custom DH parameters
are not specified either by using ssl-dh-param-file or by setting them
- directly in the certificate file, pre-generated DH parameters of the size
- specified by tune.ssl.default-dh-param will be used. Custom parameters are
- known to be more secure and therefore their use is recommended.
+ directly in the certificate file, DHE ciphers will not be used, unless
+ tune.ssl.default-dh-param is set. In this latter case, pre-defined DH
+ parameters of the specified size will be used. Custom parameters are known to
+ be more secure and therefore their use is recommended.
Custom DH parameters may be generated by using the OpenSSL command
"openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
parameters should not be considered secure anymore.
@@ -2925,11 +2926,14 @@
the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
final size will try to match the size of the server's RSA (or DSA) key (e.g,
a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
- this maximum value. Default value if 2048. Only 1024 or higher values are
- allowed. Higher values will increase the CPU load, and values greater than
- 1024 bits are not supported by Java 7 and earlier clients. This value is not
- used if static Diffie-Hellman parameters are supplied either directly
- in the certificate file or by using the ssl-dh-param-file parameter.
+ this maximum value. Only 1024 or higher values are allowed. Higher values
+ will increase the CPU load, and values greater than 1024 bits are not
+ supported by Java 7 and earlier clients. This value is not used if static
+ Diffie-Hellman parameters are supplied either directly in the certificate
+ file or by using the ssl-dh-param-file parameter.
+ If there is neither a default-dh-param nor a ssl-dh-param-file defined, and
+ if the server's PEM file of a given frontend does not specify its own DH
+ parameters, then DHE ciphers will be unavailable for this frontend.
tune.ssl.ssl-ctx-cache-size <number>
Sets the size of the cache used to store generated certificates to <number>