2

How can I validate that I've properly setup my Apache 2.4.6 server with a custom 2048-bit (or 4096-bit) dhparams config?

Following the weakdh.org sysadmin guide, I created my own dhparams.pem file with openssl dhparam -out dhparams.pem 2048. The guide says to add this to the apache mod_ssl config with SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}", but this is only valid for Apache >= v2.4.7. I'm using CentOS 7, which uses Apache v2.4.6.

According to this server fault question, the solution in Apache v2.4.6 is to append it to the certificate file. So I did a cat /etc/pki/dhparam/dhparam.pem >> /etc/letsencrypt/live/openbuildinginstitute.org/cert.pem (and also cat /etc/pki/dhparam/dhparam.pem >> /etc/letsencrypt/live/openbuildinginstitute.org/fullchain.pem` && restarted apache.

But how do I verify from the client-side (my browser) that this config is in effect?

This is especially an issue as we use Let's Encrypt, so we want to make sure our 90-day cert renewals include this step, and I want to be able to verify it from the browser.

I already tried downloading the certificate with firefox's "View Certificate" -> "Details" -> "Export...", and I confirmed that the "-----BEGIN DH PARAMETERS-----" was absent from the resulting file.

Michael Altfield
  • 739
  • 2
  • 8
  • 23

2 Answers2

1

You can check the exact prime in use by using wireshark and listening on the connection.

  1. Filter the connection with ssl && ip.addr = <host ip>
  2. connect to the server with openssl s_client -connect <ip or fqdn>:443 -servername <virtual host name> -tls1_2 -cipher DHE. DHE is important because ECDHE uses a different scheme.
  3. Check wireshark for the ServerKeyExchange. You get the key length in bytes and the prime. I didn't put a dhparams in, so you can see that apache2 uses the Oakley Group 2 prime (RFC 2409).
  4. Compare with the prime in your DH file with openssl dhparam -in /path/to/dhparam.pem -noout -text -check.

wireshark

FalcoGer
  • 136
  • 7
0

This SuperUser question provides an openssl command that will output the ServerKeyExchange in hex, and from that you can calculate the bit size.

This is helpful, but I'd prefer a command that could extract relevant data from the hex encoding & just print the base-10 bit size.

Michael Altfield
  • 739
  • 2
  • 8
  • 23
  • 1
    Hi maltfield, this looks more lik1 a supplement to your question than like an answer? – bummi Sep 12 '17 at 14:06