Need help with Diffie-Hellman encryption (lighttpd) not working

anon62498003 · August 16, 2019, 7:43pm

Hi!

I need help with Diffie-Hellman ssl-encryption in pi-hole to use it with https.

Version: lighttpd/1.4.53 (ssl)

this key works with lighttpd:

openssl req -new -x509 -keyout private.pem -out private.pem -days 365 -nodes

lighttpd is running with this key above. (x509)

openssl dhparam -dsaparam -out private-dh.pem 4096

lighttpd did not start with this key (Diffie-Hellman)
Output:

lighttpd[32659]: 2019-08-16 21:25:02: (mod_openssl.c.1282) ssl.pemfile has to be set in same scope as other ssl.* directives, unless only ssl.engine is set, ...
lighttpd[32659]: 2019-08-16 21:25:02: (server.c.1183) Initialization of plugins failed. Going down.
systemd[1]: lighttpd.service: Control process exited, code=exited, status=255/EXCEPTION
systemd[1]: lighttpd.service: Failed with result 'exit-code'.
systemd[1]: Failed to start "lighttpd".

here are my https-ssl-config in lighttpd.conf:

server.modules += ("mod_openssl")
$SERVER["socket"] == "my-ip-hide:443" {
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
ssl.dh-file = "/path/to/private-dh.pem"
#ssl.pemfile = "/path/to/private.pem"
ssl.ec-curve = "secp384r1"

setenv.add-environment = ( "HTTPS" => "on" )
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.openssl.ssl-conf-cmd = ( "Protocol" => "-TLSv1.1, -TLSv1, -SSLv3" )

setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000;" )
}

#/-REDIRECT-#
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "." {
url.redirect = ( "." => "https://%0$0" )
}
}

How can I get DH encryption with lighttpd to work?

anon62498003 · August 17, 2019, 12:42pm

I went back to an old lighttpd config and removed the (ssl.dh-file = “/path/to/private-dh.pem”)
line.
Because I can't get it to work with DH, I gave up.

deHakkelaar · August 17, 2019, 12:42pm

Try create the pem without the -dsaparam argument:

https://www.raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html

Not really a Pi-hole issue.
And certainly not when Pi-hole drops lighttpd on next major release

anon62498003 · August 17, 2019, 5:22pm

15 minutes and the key is still being created. I have an 8 core AMD CPU. 4 GHZ.

How long does it take to create the key @ deHakkelaar?
Hours?

DanSchaper · August 17, 2019, 5:25pm

curl https://ssl-config.mozilla.org/ffdhe4096.txt > /path/to/dhparam.pem

DanSchaper · August 17, 2019, 5:25pm

Yes, it is a long process and depends heavily on the available entropy.

anon62498003 · August 17, 2019, 5:26pm

ok, it's done now, testing...

anon62498003 · August 17, 2019, 5:32pm

hmm, not working:

systemd[1]: Starting ####//"lighttpd"...
lighttpd[7060]: 2019-08-17 19:29:44: (mod_openssl.c.1282) ssl.pemfile has to be set in same scope as other ssl.*

lighttpd[7060]: 2019-08-17 19:29:44: (server.c.1183) Initialization of plugins failed. Going down.

systemd[1]: lighttpd.service: Control process exited, code=exited, status=255/EXCEPTION

systemd[1]: lighttpd.service: Failed with result 'exit-code'.

systemd[1]: Failed to start ####//"lighttpd".

I don't know what the error means and how I can fix that. Any idea?

DanSchaper · August 17, 2019, 5:34pm

https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate

anon62498003 · August 17, 2019, 6:20pm

I added this and tweaked my lighttpd.conf.

Now Lighttpd is running fine, also with "ssl.dh-file". No errors.

Thanks for your help @ DanSchaper!

####//:"hTTpZ.aCCeZZ":\##
#'!pV4'#
server.modules += ( "mod_openssl" )
$SERVER["socket"] == "your-ip-here:443" {

protocol = "https://"

ssl.engine = "enable"

ssl.disable-client-renegotiation = "enable"

ssl.pemfile = "/path/to/key/hTTpZ.pem"
ssl.ca-file = "/path/to/key/hTTpZ.pem"

ssl.dh-file = "/path/to/key/hTTpZ-dh.pem"

setenv.add-environment = ( "HTTPS" => "on" )

ssl.openssl.ssl-conf-cmd = ( "Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1", "Curves" => "X25519:prime256v1:secp384r1" )

ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

ssl.honor-cipher-order = "disable"

setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" )
}

####//:"hTTp t0 hTTpZ":\##
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "." {
url.redirect = ( "." => "https://%0$0" )
}
}

Is this right that Firefox shows me the info...

'Page info'
Technical Details: Connection Encrypted (AES-GCM, 128 bit keys, TLS 1.3)
?

system · September 7, 2019, 6:20pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.