

How Diffie-Hellman Fails in Practice [pdf] - mikemoka
https://weakdh.org/imperfect-forward-secrecy.pdf

======
diafygi
So just to clarify, there's two problems for sysadmins to fix, right?

1\. Your HTTPS cipher list may include EXPORT ciphers that make the initial DH
bits low enough to break.

2\. Your ephemeral DH parameters in your EDH ciphers may be low enough to
break.

For the first problem, you need to add !EXPORT to your ciphers list. For the
second problem, you need to generate a larger dhparam file via `openssl
dhparam -out dhparam.pem 2048` and include that in your server's https
settings.

So the million dollar question is why apache and nginx make these settings the
default?

Apache's default ciphers are openssl's DEFAULT. Shouldn't they at least add in
some !MD5 !aNLULL and !EXPORT[1]? Nginx's default ciphers are currently
HIGH:!aNULL:!MD5, which still includes EXPORT[2]. For ephemeral DH, it appears
that Apache >2.4.7 uses the same bit length of the main ssl key[3]. Can anyone
confirm? For nginx, they use the openssl default[4], which apparently is still
at 1024 bits :(

These defaults should be updated. Anyone have links to bug reports requesting
these changes?

[1]:
[http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcip...](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite)

[2]:
[http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_c...](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers)
Nginx's

[3]:
[http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcer...](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile)

[4]:
[http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_d...](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam)

~~~
ddp
That question is perhaps easy to answer. Look up how much the NSA paid RSA,
Inc. to make DUAL_EC_DRBG the BSAFE default…

