4.1.6 Ensure custom Diffie-Hellman parameters are used

Information

Custom Diffie-Hellman (DH) key exchange parameters should be used. DH Ephemeral (DHE) parameters with at least 2048 bits should be generated.

Rationale:

Backward-compatible Perfect Forward Secrecy (PFS) ciphers (e.g. DHE-RSA-AES128-SHA256) should use strong and unique parameters. By default, NGINX will generate 1024-bit RSA keys for PFS ciphers; stronger alternatives should be used instead to provide better protection for data protected by encryption.

Solution

Generate strong DHE (Ephemeral Diffie-Hellman) parameters using the following commands:

mkdir /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
chmod 400 /etc/nginx/ssl/dhparam.pem

Alter the server configuration to use the new parameters:

http {
server {
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
}
}

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: d4efd8af3caf5a749a5bd290f55c1e4d92e4f4f10e6f9ff6f276cbe6e8d96caf