openssl dhparam -out /tmp/dhparam.pem 2048 As it can take some time and it isn't required for the following steps, I was thinking to make it run in the background but I can't find a way to make it run quietly, it keeps logging in the terminal where the script is running.
dhparam is 4096 (openssl dhparam -out dhparam4096.pem 4096) - This takes approx 1 hour to generate, useless for an automated solution; EDIT. 2048 is enough security for the next 40 years. Noone has ever cracked a 1024, let alone a 2048! openssl -- OpenSSL command line tool OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. Configure OpenSSL directives - OCLC Support dhparam: These parameters can now be included within a key file in the SSL subdirectory. Such values can be generated with the OpenSSL dhparam command. Elliptical Curve parameters: ecparam: These parameters can now be included within a key file in the SSL subdirectory. Such values can be generated with the OpenSSL ecparam command.
This is because after a recent update to openssl on CentOS 6, openssl-1.0.1e-30.el6.11.x86_64, programs using this library started to refuse connecting to servers vulnerable to Logjam TLS vulnerability. You need to configure sendmail to use stronger temporary Diffie–Hellman key — at least 1024 bit.
If you used openssl dhparam -out dhparam2048.pem 2048 to generate a new pair you can use openssl dhparam -noout -text -check -in dhparam2048.pem to read and print that file in text mode. You will have to copy and paste the text into the Java security properties (using tr -d ':' to remove the : between the openssl hex representation) Module ngx_http_ssl_module - Nginx
centos - sendmail rejecting some connections with
nginx : ssl_dhparamの有り無しでの挙動の違い - Qiita ssl_dhparamの有り無しでの挙動差異. 具体的に、本パラメータをつけている場合とそうでない場合で、cipher suiteがどう変わるのかを確認してみましょう。 sslのパラメータは、ssl_dhparam以外はとりあえず下記としています。 Strong SSL Security on Apache2 - Raymii.org