Caddy Equivalent of ssl_dhparam on nginx


(LouieK22) #1

I recently switched from nginx to caddy and I’ve run into a bit of an issue.

Caddie uses 1024 bit keys for diffie-hellman exchanges. On nginx I just bumped that up to 2048 with the ssl_dhparam directive. However, when looking through the docs I found no equivalent. So am I missing something or has this feature or it’s equivalent just not been added?

I suppose this is a bit nit-picky anyways for it being a test server, but practice makes perfect?

For reference, this is where I am getting this information https://www.htbridge.com/ssl/?id=tzdaQHF4


(Matt Holt) #2

That’s strange, because caddyserver.com gets an A+ on the same report, and I haven’t changed the TLS configuration at all: https://www.htbridge.com/ssl/?id=T9puALOB

Are you sure there’s nothing in front of your Caddy instance?


(LouieK22) #3

There shouldn’t be anything in front of my server. It’s on my VPS, listening on port 80. I’m planning to use it as a reverse proxy.


(Matthew Fay) #4

Curious. I refreshed your test at https://www.htbridge.com/ssl/?id=tzdaQHF4. The result was

Key Type/Size RSA 2048 bits

with an A+ final grade. Did you make any changes to your configuration to achieve that?


(LouieK22) #5

I haven’t changed anything. So I’m sure what could’ve changed. I’m just going to mark your message as the solution and move on.


(Matthew Fay) #6

No worries, let us know if you see it happening again!


(Mark) #7

Go, the language Caddy is written in, does not know anything other than elliptic-curve Diffie-Hellman. Neither something like ssl_dhparam can be set, nor are »1024 or 2048 bits« used.
! https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/cipher_suites.go#L78-L105

In other words, there’s plain RSA suites without any perfect-forward–secrecy (PFS) and ECDHE_{RSA,ECDSA}. Nothing else. Not implemented is any EDH_{RSA,ECDSA}.

If anything like eq 3072 bits is displayed, then the SSL check site likely means ECDHE with a 256b curve has been used.


(system) #8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.