Cpanel's default support for secure parameters for Diffie-Hellman key exchange is not optimal, and even considered insufficient by some official organisations. See for example : IT Security Guidelines for Transport Layer Security (TLS)
That's why I want to increase them.
This is what I've tried so far; first I created new ones:
openssl dhparam -out dhparams-4096.pem 4096
And after that I tried to enable it for a specific domain as outlined in Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation
I've added this to a configuration file:
SSLOpenSSLConfCmd DHParameters /etc/apache2/conf/dhparams-4096.pem
And also added a http header so I could check that the file was included (which I could see in the server response after I made the changed, rebuilt the config and restarted apache).
However when I run testssl (GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption anywhere on any port) it still indicates that my DH is 2048
My openssl version is 1.0.2k-fips
What am I doing wrong?
That's why I want to increase them.
This is what I've tried so far; first I created new ones:
openssl dhparam -out dhparams-4096.pem 4096
And after that I tried to enable it for a specific domain as outlined in Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation
I've added this to a configuration file:
SSLOpenSSLConfCmd DHParameters /etc/apache2/conf/dhparams-4096.pem
And also added a http header so I could check that the file was included (which I could see in the server response after I made the changed, rebuilt the config and restarted apache).
However when I run testssl (GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption anywhere on any port) it still indicates that my DH is 2048
My openssl version is 1.0.2k-fips
What am I doing wrong?
Last edited by a moderator: