[Documentation] Increase bitlength recommendation for DH parameters
Also clarify the behaviour of TLS backends and the consequences for not providing any parameters at all. [ci skip]
This commit is contained in:
parent
70a70462e5
commit
9d6b870d7b
2 changed files with 6 additions and 2 deletions
|
@ -72,7 +72,9 @@ serverinfo {
|
||||||
* However it has been reported that some clients have broken TLS implementations which may
|
* However it has been reported that some clients have broken TLS implementations which may
|
||||||
* choke on keysizes larger than 2048-bit, so we would recommend using 2048-bit DH parameters
|
* choke on keysizes larger than 2048-bit, so we would recommend using 2048-bit DH parameters
|
||||||
* for now if your keys are larger than 2048-bit.
|
* for now if your keys are larger than 2048-bit.
|
||||||
*/
|
*
|
||||||
|
* If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
|
||||||
|
* and some will succeed but use weak, common DH groups! */
|
||||||
ssl_dh_params = "etc/dh.pem";
|
ssl_dh_params = "etc/dh.pem";
|
||||||
|
|
||||||
/* ssld_count: number of ssld processes you want to start, if you
|
/* ssld_count: number of ssld processes you want to start, if you
|
||||||
|
|
|
@ -154,7 +154,9 @@ serverinfo {
|
||||||
/* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
|
/* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
|
||||||
#ssl_private_key = "etc/ssl.key";
|
#ssl_private_key = "etc/ssl.key";
|
||||||
|
|
||||||
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
|
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048 */
|
||||||
|
/* If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
|
||||||
|
and some will succeed but use weak, common DH groups! */
|
||||||
ssl_dh_params = "etc/dh.pem";
|
ssl_dh_params = "etc/dh.pem";
|
||||||
|
|
||||||
/* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */
|
/* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */
|
||||||
|
|
Loading…
Reference in a new issue