|
Size: 1347
Comment:
|
Size: 1339
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 32: | Line 32: |
| `openssl(1)` defaults to 1024-bit keys, which lags behind the modern standard of 2048-bits. This is a particular problem for software that defer cryptographic decisions to `openssl(1)` at runtime, such as `nginx(8)`. One of the most common cryptographic decisions that is affected by this situation is the selection of parameters for Diffie-Hellman key exchanges. | `ssl(7)` defaults to 1024-bit keys, which lags behind the modern standard of 2048-bits. This is a particular problem for software that defer cryptographic decisions to `ssl(7)` at runtime, such as `nginx(8)`. One of the most common cryptographic decisions that is affected by this situation is the selection of parameters for Diffie-Hellman key exchanges. |
OpenSSL
The OpenSSL project maintains the acryptographic library ssl(7) and a userland tool openssl(1).
Certificates
It is highly recommended to not use openssl(1)-generated certificates for web encryption. Clients have no reason to trust a self-signed certificate unless you
operate your own certificate authority (strongly not recommended)
- configure all client machines
Usage
To generate a certificate and private key simultaneously, try:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /path/to/domain-name.com/key.pem -out /path/to/domain-name.com/cert.pem
Diffie-Hellman Parameters
ssl(7) defaults to 1024-bit keys, which lags behind the modern standard of 2048-bits. This is a particular problem for software that defer cryptographic decisions to ssl(7) at runtime, such as nginx(8). One of the most common cryptographic decisions that is affected by this situation is the selection of parameters for Diffie-Hellman key exchanges.
To generate a stronger configuration, try:
openssl dhparam -out /path/to/dhparam.pem 4096
For details on how to use this configuration, see the following articles for NGINX.