How to use DH certificate to configure nginx server



  • My purpose is to leverage DH algorithm to enhance self-signed certificate (A toy in local computer).

    I refered the answer of Matt Caswell. It works fine to generate the dhcert.pem but fail to configure nginx OpenSSL generates DS-RSA key

    I match the dhcert.pem with ssl_certificate entry and the dhkey.pem with ssl_certificate_key entry. However, with 'nginx -t' checker, it says

    SSL: error:140BF0F7:SSL routines:ssl_set_cert:unknown certificate type

    I've already set the dhparam in the nginx configuration file as well. I don't know what causes the problem.

    Also, I accept almost all the cipher:

    ssl_prefer_server_ciphers on;

    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';



  • OpenSSL removed support for DH certificates in libssl starting with OpenSSL 1.1.0. You can still create the certificates, but you can't use them in a TLS connection. In order to do so you would have to use an earlier version of OpenSSL (none of which are currently supported by the project). You would need OpenSSL 1.0.2 or earlier.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2