Should I set diffie helman parameters for nginx ssl

I have set up nginx with ssl. Everything works perfectly, with online tools giving the domain a good score.

Now I am wondering about one particular nginx configuration option; ssl_dhparam. Should I generate and set these parameters? Does it have any influence on security or computational load of ssl?


Solution 1:

Should I generate and set these parameters?

Yes.

Does it have any influence on [the] security...of ssl?

Yes, when enabling Perfect Forward Secrecy. An appropriate ciphersuite must also be configured.

If a future attacker compromises your TLS, with PFS past traffic they intercepted and retained still cannot be decrypted.

Generate a DHE prime no smaller than your SSL certificate RSA private key. Given a 2048 bit private key:

$ openssl dhparam -out dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
..+..+...............+

Does it have any influence on [the]...computational load of ssl?

Too little to worry about.

  • conventional wisdom that TLS is slow is outdated
  • the advantage of PFS outweighs the cost
  • TLS is well handled by modern CPUs; adding DH has a minor incremental cost compared to the total cost of TLS
  • this cost is only incurred during the TLS handshake; a well-tuned TLS does the handshake infrequently or otherwise reduces the cost with session resumption, false-start, OCSP stapling, and more

Google I/O 2014 had a good HTTPS Everwhere talk which covered these and related topics in a broad fashion.

Solution 2:

Diffie helman is a good algorithm for key exchange but it takes too much time for computation slowing your website down. I recommend using RC4-SHA which is weaker than DH but serve its purpose. If it helps, google.com uses RC4-SHA. You can check out the algorithm for any website using the following:

openssl s_client -host HOSTNAME -port 443

I suggest you check out what kind of key exchange and encryption other websites similar to yours are using and use a suitable algorithm.
Also read out this article on the same topic.