By default DH Parameters are just 1024bits in Ubuntu 12.04.5 LTS which is considered weak by todays standards.
You will need to create a new one of either 2048Bit or 4096Bit depending on your certificates public key size.
1. Create a folder to hold the dhparams…
|
1 |
mkdir /etc/ssl/dh |
2. Move to that directory
|
1 |
cd /etc/ssl/dh |
3. Create the new DH Parameters, at 2048Bit
|
1 |
openssl dhparam -out RSA2048.pem -5 2048 |
And 4096Bit (this will take some time)
|
1 |
openssl dhparam -out RSA4096.pem -5 4096 |
5. You can also create DSA versions, at 2048Bit…
|
1 |
openssl dhparam -dsaparam -out DSA2048.pem 2048 |
And 4096Bit
|
1 |
openssl dhparam -dsaparam -out DSA4096.pem 4096 |
Now you can add the directives to your servers, Courier-Imap, Dovecot, Nginx and Postfix.
Courier-Imap
|
1 |
TLS_DHPARAMS=/etc/ssl/dh/RSA2048.pem |
Dovecot (creates it’s own)
|
1 |
ssl_dh_parameters_length = 2048 |
Nginx
|
1 |
ssl_dhparam /etc/ssl/dh/RSA2048.pem; |
Postfix
|
1 |
smtpd_tls_dh1024_param_file = /etc/ssl/dh/RSA2048.pem |
Enjoy!