>> I'm using Mozilla's "Old backward compatibility" ssl_ciphers so I feel
>> good about my compatibility there, but does the following open me up
>> to potential compatibility problems:
>>
>> # openssl dhparam -out dhparams.pem 2048
>
>
> DHE params larger than 1024 bits are not compatible with java 6/7 clients.
> If you need compatibility with those clients, use a DHE of 1024 bits, or
> disable DHE entirely.


My server is open to the internet so I'd like to maintain
compatibility with as many clients as possible, but I don't serve any
java apps. Given that, will DHE params larger than 1024 bits affect
my compatibility?

If so, I believe a DHE of 1024 bits opens me to the LogJam attack, so
if I disable DHE entirely will that affect my compatibility?

- Grant

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx