dhparam Archives

You can fix Logjam for the Plesk Panel by simply adding the standard Nginx dhparam directive to the plesk.conf file.
Very similar to previous posts on adding OCSP and HSTS to Plesk.

First you will need to create your dhparam, you can follow my guide Creating DH Parameters, and then locate the file and edit with your favourite editor…

# nano /etc/sw-cp-server/conf.d/plesk.conf

And add the Nginx ssl_dhparam directive above the certificate entries like so…

ssl_dhparam /etc/ssl/dh/RSA2048.pem;
ssl_certificate /opt/psa/admin/conf/httpsd.pem;
ssl_certificate_key /opt/psa/admin/conf/httpsd.pem;

Save the file and restart the Plesk server…

# service sw-cp-server restart

And you are good to go.
I hope that helps someone.

By default DH Parameters are just 1024bits in Ubuntu 12.04.5 LTS which is considered weak by todays standards.
You will need to create a new one of either 2048Bit or 4096Bit depending on your certificates public key size.

1. Create a folder to hold the dhparams…

# mkdir /etc/ssl/dh

2. Move to that directory

# cd /etc/ssl/dh

3. Create the new DH Parameters, at 2048Bit

# openssl dhparam -out RSA2048.pem -5 2048

And 4096Bit (this will take some time)

# openssl dhparam -out RSA4096.pem -5 4096

5. You can also create DSA versions, at 2048Bit…

# openssl dhparam -dsaparam -out DSA2048.pem 2048

And 4096Bit

# openssl dhparam -dsaparam -out DSA4096.pem 4096

The Directives

Now you can add the directives to your servers, Courier-Imap, Dovecot, Nginx and Postfix.

Courier-Imap

TLS_DHPARAMS=/etc/ssl/dh/RSA2048.pem

Dovecot (creates it’s own)

ssl_dh_parameters_length = 2048

Nginx

ssl_dhparam /etc/ssl/dh/RSA2048.pem;

Postfix

smtpd_tls_dh1024_param_file = /etc/ssl/dh/RSA2048.pem

Enjoy!

My Blog

Tag Archives: dhparam

Add DHParam to Plesk Panel

Creating DH Parameters

The Directives

Servers and Security