In some cases you may wish to allow Diffie–Hellman (DHE) ciphers in order to support older clients like IE on Windows 7. On Plesk we often use the “intermediate” level in the Mozilla cipher set as described here:
https://wiki.mozilla.org/Security/Server_Side_TLS
The “intermediate” level includes:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
Of course the “ECDSA” or “Elliptic Curve Digital Signature Algorithm” ciphers will only be available if you are using ECC signed certificates.
Additionally the “DHE” ciphers will not be available by default if you are using Nginx releases greater then 1.11. With the 1.11 release Nginx moved the DHE key to an external setting instead of an internally generated key. The stock Nginx packages on Ubuntu and CentoOS do not setup a DHE key which results in the DHE ciphers not being available.
To address this problem, start by generating a key:
|
1 2 |
cd /etc/ssl/certs openssl dhparam -out dhparam.pem 4096 |
Next tell Nginx where to find the key:
|
1 |
echo "ssl_dhparam /etc/ssl/certs/dhparam.pem;" > /etc/nginx/conf.d/ssl_dh.conf |
Verify Nginx config and restart:
|
1 2 |
nginx -t systemctl restart nginx |
Now the DHE ciphers will be offered to clients and Window 7 / IE clients will be able to connect to the sites hosted on the server.