>> I’m confused where the DH 3072 comes from. My question is, what should I >> configure so that DH 4096 is sent? > > Your problem is in step 2) generate DH params - internet.nl explicitly > states that "Self-generated groups are 'Insufficient'". Follow their > instructions to download one of the pre-defined groups from RFC 7919 > to make that test happy.
Thanks for your mail! I noticed that advice and already tried it, but it didn’t work! I’ve copied their file https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem <https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem> to my /etc/apache2/dhparams.pem. In my Apache config, I am pointing to that file: SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem” And I made sure to restart Apache. However, even with the standard 4096 bit DH params file, still my Apache seems to use 3072 DH… https://internet.nl/site/lifeforms.nl/1529341/#control-panel-14 <https://internet.nl/site/lifeforms.nl/1529341/#control-panel-14> I’ve also tried using the standard 3072 bit DH params file https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem <https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem> as they say this should be ’sufficient’ but the result is still ‘insufficient': https://internet.nl/site/lifeforms.nl/1529352/#control-panel-14 <https://internet.nl/site/lifeforms.nl/1529352/#control-panel-14> So I’m still confused how I can use 4096 bit DH params... Kind regards, WH
