1

I recently put each of my sites through the ssl labs analyzer and now have them all running with an A+ getting perfect scores with every metric except Key Exchange at 90.

As part of this I have globally set my Nginx server to use a dhparams.pem file for ssl_dhparam. My question is whether or not it is fine for all my different sites to use the same dhparams.pem file, or would it be considered better practice for each site to use a different file?

David Baucum
  • 163
  • 6

1 Answers1

3

The Diffie Hellman parameters are not secret. In fact they are shared entirely during every key exchange. Reusing them should not be a major issue in general, if they are of good quality and length.

At one time it was reasonably common to use 512 bit parameters. An attack called logjam was discovered whereby data to decode the key exchange could be pre-computed allowing reasonable attacks. This is considered to be impractical for even 1024 bit parameters, so using 2048 or 4096 bit parameters eliminates the possibility of a pre-computation attack on your specific values entirely.

le3th4x0rbot
  • 3,139
  • 1
  • 12
  • 12
  • Thank you. I used 4096 bits as recommended by various sites. – David Baucum Sep 26 '18 at 18:30
  • 1
    @DavidBaucum Servers running on particularly old hardware may struggle to keep up with 4096-bit DHE connections. I've had to tone it down to 3072 in the past for an old Athelon processor. – forest Sep 27 '18 at 02:08