> > On investigation, we found the certificate is not the problem as our > certificate is already 2048 bit. > > What else might this be? > > Thanks
https://weakdh.org <https://weakdh.org/> Out of interest, I looked into this. I haven’t exposed my web-interface, so I can’t check with ssllabs checker. Above site recommends: ssl.dh-file= and the path to the strong dh-group created by openssl dhparam -out dhparams.pem 2048 However, this is not included in my configuration: ssl.engine = "enable" ssl.pemfile = "/var/etc/cert.pem" ssl.engine = "enable" ssl.pemfile = "/var/etc/cert.pem" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" ssl.cipher-list = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS“ Maybe pfSense is smart enough to figure out that maybe my aging ALIX board is just too slow for this? [2.2.4-RELEASE][[email protected] <http://pfsense.example.org/>]/tmp: time openssl dhparam -out dhparams.pem 2048 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..........................................................+..........................................................+..............................................................................................................................................................................................................................+............................................................................................+......................................................................+......................................................+..........................................................................................................................................................+............................................+.........................+.........+......+...............+.....................................................................+...........................................................................................+............................................................................++*++* unable to write 'random state' 844.901u 0.105s 15:05.79 93.2% 613+197k 0+2io 13pf+0w I also can’t find any security-advisory on this. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
