[Documentation] Increase bitlength recommendation for DH parameters

Also clarify the behaviour of TLS backends and the consequences for
not providing any parameters at all.

[ci skip]
This commit is contained in:
Aaron Jones 2016-05-05 04:18:31 +00:00
parent 70a70462e5
commit 9d6b870d7b
No known key found for this signature in database
GPG key ID: 6E854C0FAAD4CEA4
2 changed files with 6 additions and 2 deletions

View file

@ -72,7 +72,9 @@ serverinfo {
* However it has been reported that some clients have broken TLS implementations which may
* choke on keysizes larger than 2048-bit, so we would recommend using 2048-bit DH parameters
* for now if your keys are larger than 2048-bit.
*/
*
* If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
* and some will succeed but use weak, common DH groups! */
ssl_dh_params = "etc/dh.pem";
/* ssld_count: number of ssld processes you want to start, if you

View file

@ -154,7 +154,9 @@ serverinfo {
/* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
#ssl_private_key = "etc/ssl.key";
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048 */
/* If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
and some will succeed but use weak, common DH groups! */
ssl_dh_params = "etc/dh.pem";
/* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */