Since security is a process not a single task I updated my server config.
I noticed that I was missing a good dhparam. This is a follow up post to last years "CAA, site configuration, security and HTTP2" post.
Generate the prime
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/dhparam.pem;
Disable prime256v1 aka NIST P-256
After some searching on the internet I found some evidence about it beeing insecure and also known as "NIST P-256". If you prefere a discussion read the node.js tracker.
Going for the stronger curve should have a minimal impact on performance.
Regenerate the dhparam
Regenerating keys is a good idea in general. In 2016 some stackexchange user said no.
Automating it every week or so still seems like a good idea so we add this cron job with sudo crontab -e:
# m h dom mon dow command
14 3 * * 1 openssl dhparam -out /etc/nginx/dhparam.pem 4096 && chmod 600 /etc/nginx/dhparam.pem && /bin/systemctl restart nginx.service
Note: We have to use absolute paths. You can get that absolute path with this command: which ${binary}
See the crontab man page.
Donate ♥
Imprint
Datenschutz
Archive
