ssl_dhparam
Specifies the DH parameters for Diffie-Hellman key exchange in SSL/TLS connections.
Description
The ssl_dhparam directive configures the Diffie-Hellman (DH) parameters to be used during SSL/TLS handshakes for secure connections. DH parameters are crucial in establishing a secure key exchange between the server and clients, particularly when using certain cipher suites that require them. Using a custom DH parameter file allows administrators to specify a strong key length, enhancing security against potential attacks. The directive accepts a single argument, which is the path to the file containing the DH parameters, typically in PEM format.
When ssl_dhparam is set, NGINX will use the given DH parameters for all new SSL connections that require DH key exchange. This directive is applicable in http and server context, making it versatile for applying DH parameters globally or on a per-server basis. It's important to ensure the DH parameters file is properly configured and accessible by the NGINX process, as failure to do so may result in SSL handshake failures.
In practice, it is common to generate a strong DH parameter file using tools such as OpenSSL, and it is recommended to regularly update these parameters to maintain a high level of security. The length of the parameters should ideally be at least 2048 bits for modern security requirements, although longer parameters may increase computational load during the handshake process.
Config Example
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/privatekey.pem;
ssl_dhparam /path/to/dhparams.pem;
}Ensure the DH parameters file exists and is accessible by the NGINX process to avoid SSL handshake errors.
Using insufficiently strong DH parameters may lead to vulnerabilities; prefer parameters of at least 2048 bits.
Changes to the DH parameters require NGINX to be reloaded to take effect.