It's not necessary to generate DH parameters to enable ephemeral keys in Nginx. Nginx ships with a static, built-in set of DH parameters. You just need to make sure that the configured cipher suite includes ephemeral keying. And it'll normally be enabled by default as long as you don't specifically disable it.
(For ECDH you don't even have the option of generating new parameters as the curves are fixed by definition.)
Proof of automatic ephemeral keying:
1) ngx_ssl_dhparam in src/event/ngx_event_openssl.c calls SSL_CTX_set_tmp_dh with a statically constructed DH* object if the file parameter is empty.
2) ngx_http_ssl_merge_srv_conf in src/http/modules/ngx_http_ssl_module.c unconditionally calls ngx_ssl_dhparam.
That only establishes automatic ephemeral keying. To get Perect Forward Secrecy you must make sure that the SSL context regenerates the private key component of the DH parameters for each session. For that you must enable the OP_SINGLE_DH_USE OpenSSL option. That option is unconditionally enabled by ngx_ssl_create in src/event/ngx_event_openssl.c. (The equivalent for ECDH is OP_SINGLE_ECDH_USE, which is also set.)
wahern|11 years ago
(For ECDH you don't even have the option of generating new parameters as the curves are fixed by definition.)
Proof of automatic ephemeral keying:
1) ngx_ssl_dhparam in src/event/ngx_event_openssl.c calls SSL_CTX_set_tmp_dh with a statically constructed DH* object if the file parameter is empty.
2) ngx_http_ssl_merge_srv_conf in src/http/modules/ngx_http_ssl_module.c unconditionally calls ngx_ssl_dhparam.
That only establishes automatic ephemeral keying. To get Perect Forward Secrecy you must make sure that the SSL context regenerates the private key component of the DH parameters for each session. For that you must enable the OP_SINGLE_DH_USE OpenSSL option. That option is unconditionally enabled by ngx_ssl_create in src/event/ngx_event_openssl.c. (The equivalent for ECDH is OP_SINGLE_ECDH_USE, which is also set.)