I’m not too up to date with current encryption methods, however I was wondering if the Diffe-Hellman key would offer additional security when added to the certificates module?
I’ve read that it helps prevent logjam attacks, might be good to have perhaps?
I always thought it simply adds more entropy to the key gerneration, but I’m probably wrong there.
Thoughts anyone?
Hi @0ctatr0n welcome to NethServer community!
Nowadays a random 2048 bit DH group is often suggested for security. @stephdl is currently working on DH improvements for the mail server, generating a random one. Some services offer only a builtin group (from RFCs), some do not allow DH at all.
I don’t think an interface is necessary for uploading the DH group. Instead the DH group can be generated by the server itself for the services that support a custom one.
The services do not use the same dh group, a dh group is unical for the service. A dh group is signed by the private key and is used to find a common temporary key for just one time. Like this even if your private key is compromised, the bad guy cannot decrypt the communications
We speak about perfect forward secrecy : https://en.m.wikipedia.org/wiki/Forward_secrecy
In the best world, the dh group should be renewed from time to time, nothing to upload, only the service uses it.
Thank-you for the quick response Davide and Stephane, I admit I’ve read through the content you recommended and I perhaps vaguely grasp whats happening with this dh key exchange.
I was intending on adding it to the built in apache reverse proxy for the docker services I wish to run. If what you’re saying is this is an outmoded form of security I won’t bother with it.
However if it does improve overall security, Id be grateful to know where the certificates are hidden within nethsever so I could to attempt to add it manually.
I just performed an ssllabs test on my letsencrypt certificate and was given a ‘B’ grade telling me TLS 1.0 and 1.1 have been degraded and need to be removed.
Apparently to get an A+ I need to have it set to : “TLS 1.2 + HSTS + No Warning + TLS_FALLBACK_SCSV”
Again I’m only a novice at this sort of thing and half the time I don’t know what I’m talking about, so thanks again for being patient with me.
Sincerely,
0ctatr0n
We have just released a new tls policy for ns7.8 only tls1.2, you can just use it.
Certs are under /etc/pki, DH is not an easy way, each services use its dh group, apache gets one of openssl, dovecot uses an encrypted one, postfix another one, same for openvpn…and some service like apache or dovecot do not get a version that allow to change it.
For now we are working to change the default one of postfix mainly because it is a 1024, rather for a security concern. This work has not been released.