Resolved Changing DH-key from 2048 to 4096

[learning_curve]

Pre-Modification status on all domains / certificates (independent site report extracts)

***                 ***
Key                 RSA 2048 bits (e 65537)
Weak key (Debian)   No
***                 ***

***                   ***
Key Type/Size         RSA 2048 bits
Signature Algorithm   sha256WithRSAEncryption
***                   ***

Our modifications consisted of running this command line first

openssl dhparam -out /usr/local/psa/etc/dhparams.pem 4096

Then the applying following changes;

The quoted line within >> /etc/proftpd.d/ssl.conf >>

TLSDHParamFile /usr/local/psa/etc/dhparams2048.pem changed to
TLSDHParamFile /usr/local/psa/etc/dhparams4096.pem

The quoted line within >> /etc/sw-cp-server/conf.d/ssl.conf >>

ssl_dhparam /usr/local/psa/etc/dhparams2048.pem changed to
ssl_dhparam /usr/local/psa/etc/dhparams4096.pem

Followed by apache and nginx checks and then a server re-start

The result was... exactly the same as the Pre-Modification on all domains / certificates box above

Either... we have misunderstood where the 2048 key length is actually applied (wrong file or wrong instruction) or, in what order the key length is applied (which file has priority etc) or, even simpler, we have misunderstood the 2048 / 4096 process and this change cannot be carried out when using Plesk and the setup that we currently have (see signature). All of our original 2048 files / references etc files are still in place, so we can easily revert back to them if needed, but it's well worth us asking for any guidance before we do that...

 

[mr-wolf]

Shouldn't the sw-cp-server config file have this?
It is nginx, isn't it?

ssl_dhparam             /etc/dhparam/dhparam4096.pem;

# ls -l /etc/dhparam/
total 16K
-rw-r--r-- 1 root root 245 Aug 27 04:40 dhparam1024.pem
-rw-r--r-- 1 root root 424 Aug 27 04:40 dhparam2048.pem
-rw-r--r-- 1 root root 769 Aug 27 04:44 dhparam4096.pem
-rw-r--r-- 1 root root 156 Aug 27 04:40 dhparam512.pem

 

[learning_curve]

Yes all domains are runnning nginx as proxy but hmmmmm this is the start of the mystery perhaps
We don't have (and never have had for whatever reason) this directory /etc/dhparam/

# ls -l /etc/dhparam/
ls: cannot access /etc/dhparam/: No such file or directory
#

 

[learning_curve]

Shouldn't the sw-cp-server config file have this?
It is nginx, isn't it?

ssl_dhparam             /etc/dhparam/dhparam4096.pem;

There's no such reference in our sw-cp-server config file (config)
The only 'associated' reference is this:

include /etc/sw-cp-server/conf.d/*.conf;

which by default, therefore includes

/etc/sw-cp-server/conf.d/ssl.conf

which again by default, therefore includes the content that we originally posted;

ssl_dhparam /usr/local/psa/etc/dhparams2048.pem

all of which works just fine!

Unless....we try changing it in the manner we've posted, whereby those changes are ignored, even after a full server restart
There's obvioulsy another factor somewhere / a better way of doing this.
Maybe.. by changing the current setup, to the way you have queried the existence of?

 

[mr-wolf]

Mine contains this... I never touched that config..
cat /etc/sw-cp-server/conf.d/ssl.conf

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

AFAIK "TLSDHParamFile" is not an nginx directive....

Alphabetical index of directives (search for param)

Maybe the Plesk interface is running nginx on mine and yours maybe different.
Some kind of creative programming of Plesk...
Or could it be you're mistaken?

 

[learning_curve]

Mine contains this... I never touched that config..
cat /etc/sw-cp-server/conf.d/ssl.conf

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

AFAIK "TLSDHParamFile" is not an nginx directive....

Alphabetical index of directives (search for param)

Maybe the Plesk interface is running nginx on mine and yours maybe different.
Some kind of creative programming of Plesk...
Or could it be you're mistaken?

We're often mistaken but ours is very similar to what you have posted:

ssl_ciphers <snip> ....long specific cipher list....<snip>
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

 

[mr-wolf]

We're often mistaken but ours is very similar to what you have posted:

ssl_ciphers <snip> ....long specific cipher list....<snip>
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

That's not what you are writing in your first posts...

 

[learning_curve]

Whilst we are just shooting from the hip / guessing in this post, in order to check this properly against what you very helpfully posted earlier, we would need to remove the line

ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

from /etc/sw-cp-server/conf.d/ssl.conf and

TLSDHParamFile /usr/local/psa/etc/dhparams2048.pem

from /etc/proftpd.d/ssl.conf

then create /etc/dhparam/dhparam4096.pem
then... add the line

ssl_dhparam /etc/dhparam/dhparam4096.pem;

into /etc/sw-cp-server/config

then, test nginx and apache and restart sw-cp-server and/or run full server restart
and finally(!) run the independent tests again to check the 4096 config had been successfully applied?

 

[learning_curve]

That's not what you are writing in your first posts...

Sorry cross posts there, but we don't understand this answer anway Do you mean we have posted about /etc/sw-cp-server/conf.d/ssl.conf and then /etc/sw-cp-server/config or something else?

 

[learning_curve]

That's not what you are writing in your first posts...

Sorry, got in now. You're right. We have just spotted our typo and corrected it
(TLSDHParamFile typed instead of ssl_dhparam within /etc/sw-cp-server/conf.d/ssl.conf)

 

[mr-wolf]

Somehow I read you were using "TLSDHParamFile" for the Nginx config, but now I don't read that anymore.
I did check if you maybe edited the first post, but you didn't....
Sorry... forget all my remarks regarding TLSDHParamFile

EDIT: It seems you did edit it.... (I was starting to get worried about my mental health)

 

[mr-wolf]

OK.....

But was the typo in the post or in your config?
I guess just in the post as you would be getting an error.

For these reasons I always use "cat" and copy/paste this into the post.
Anything wrong in the real file would get reflected in the post and might be spotted by others....

 

[learning_curve]

Yes, just a simple speed typing typo in the post itself.
The file is as per the corrected post is now and has no errors etc

 

[mr-wolf]

But how are you testing the site? (you should be explicit about this)
I know that SSLLabs only scans port 443, so how are you testing it?

There's no need to restart the complete server.

/etc/init.d/sw-cp-server stop
/etc/init.d/sw-cp-server start

Note that I don't use restart.
When you issue a restart some daemons will check the new config before stopping. If it rejects the config, it will not stop the daemon and continue using the old config.

This may be good from a reliability point of view, but you should take that in consideration when using restart....
A situation with an invalid config may bite you many days (weeks, months?) later and you will have no clue why your daemon suddenly doesn't work...

 

[mr-wolf]

Yes all domains are runnning nginx as proxy but hmmmmm this is the start of the mystery perhaps
We don't have (and never have had for whatever reason) this directory /etc/dhparam/

# ls -l /etc/dhparam/
ls: cannot access /etc/dhparam/: No such file or directory
#

You don't have any files there because you don't have this weekly script running.
I have a new key there each week... automatically
If openssl fails somehow, you will still have the old one.

ln -s /usr/local/sbin/gen_dhparam /etc/cron.weekly/
cat /usr/local/sbin/gen_dhparam

#!/bin/bash

mkdir -p /etc/dhparam 2>/dev/null
FILE=`mktemp`

N=512
while [ $N -le 4096 ] ; do
  openssl dhparam $N -out $FILE && cat $FILE >/etc/dhparam/dhparam${N}.pem
  let N*=2
done

rm -f ${FILE}

 

[learning_curve]

Cool we'll certainly try this and many thanks for sharing, but to try this method, we'll first need to 'remove' the existing setup as shown below wouldnt we? (this works fine at 2048 bit and always has done, as we've already said, but can easily be re-applied if needed) Otherwise, we're guessing that we'll have duplication / conflict?

Remove the line

ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

from /etc/sw-cp-server/conf.d/ssl.conf

and remove the line

TLSDHParamFile /usr/local/psa/etc/dhparams2048.pem

from from /etc/proftpd.d/ssl.conf

 

[mr-wolf]

I would...

But still....
I don't know how you are testing this and I would like to test this on my system to see if I can see the same.
From there we may find what's wrong....

In the meantime I did this on my system

cat /etc/sw-cp-server/conf.d/ssl_extra.conf

add_header              Strict-Transport-Security max-age=15768000 always;
ssl_dhparam             /etc/dhparam/dhparam4096.pem;
ssl_ecdh_curve          secp521r1:secp384r1:prime256v1;

cp -p /etc/sw-cp-server/conf.d/ssl.conf /etc/sw-cp-server/conf.d/ssl.conf.org
cp -p /etc/nginx/conf.d/ssl.conf /etc/sw-cp-server/conf.d/ssl.conf
/etc/init.d/sw-cp-server stop
[ ok ] Stopping sw-cp-server (via systemctl): sw-cp-server.service.
/etc/init.d/sw-cp-server start
[ ok ] Starting sw-cp-server (via systemctl): sw-cp-server.service.

 

[learning_curve]

ssllabs.com, htbridge.com, sslchecker.com/sslchecker, digicert.com/help/ are the easiest / fastest that we've used when looking for the 2048 / 4096 answer

But how are you testing the site? (you should be explicit about this).....

 

[learning_curve]

I would...

Then we will

I don't know how you are testing this and I would like to test this on my system to see if I can see the same. From there we may find what's wrong....

please see our previous post

In the meantime I did this on my system

cat /etc/sw-cp-server/conf.d/ssl_extra.conf

add_header              Strict-Transport-Security max-age=15768000 always;
ssl_dhparam             /etc/dhparam/dhparam4096.pem;
ssl_ecdh_curve          secp521r1:secp384r1:prime256v1;

cp -p /etc/sw-cp-server/conf.d/ssl.conf /etc/sw-cp-server/conf.d/ssl.conf.org
cp -p /etc/nginx/conf.d/ssl.conf /etc/sw-cp-server/conf.d/ssl.conf
/etc/init.d/sw-cp-server stop
[ ok ] Stopping sw-cp-server (via systemctl): sw-cp-server.service.
/etc/init.d/sw-cp-server start
[ ok ] Starting sw-cp-server (via systemctl): sw-cp-server.service.

Excellent! For simplicity however and seeing as we have to modify this file anyway now, why couldn't we add

ssl_dhparam             /etc/dhparam/dhparam4096.pem;
ssl_ecdh_curve          secp521r1:secp384r1:prime256v1;

directly into /etc/sw-cp-server/conf.d/ssl.conf simply to prove the theory before adding the cron task etc?

add_header              Strict-Transport-Security max-age=15768000 always;

The line above is already taken care of elsewhere so not a factor (for us) in this we think

 

[mr-wolf]

I have no problems at all applying the different parameters.
Just did several mods to the SSL-setting of the Plesk panel and they all apply and can be seen in Analyse your HTTP response headers

Now if you tell me where you can see the key length in what site and I will tell you the result I have on mine.

[EDIT] just saw the list.... only 1 of these sites will show you the DH-key.

SSL Server Test (Powered by Qualys SSL Labs) can't test other ports than 443
SSL Certificate Checker It gives "no certificates found"
SSL Certificate Checker - Diagnostic Tool | DigiCert.com Gives the key length of 2048, but this is not the dhparam key (I guess that is your mistake)
SSL/TLS Server Test | High-Tech Bridge This site was the only one that gave info on the DH-key and as you can see it's 4096 bits.....