The Diffie-Hellman Fix

Securing Diffie-Hellman for TLS to Prevent Log-Jam Attacks

Reasoning 

The default Diffie-Hellman deployed on nginx servers uses a common 1024-bit prime. This can make it somewhat vulnerable to log-jam attacks. We want our SSL-cert websites to be as secure as possible.

Preparation 

This complete process is customized to your domain name:   

Server Test 

Perform a test of your server and its SSL certificate (each web site should have one these days). You will likely find a warning like this on the test result:

Initial test results.
Initial test results.

Procedure 

For the purposes of guide we are assuming you are running your server on Laravel Forge, and have a ssl certificate installed.

  1. SSH into your server:
    ssh forge@{{ domain ? domain : domainPlaceholder }}
  2. Establish super-user access (you will be prompted for your forge sudo password):
    sudo -i
  3. Create a new, stronger DH Group (this will take a minute or two):
    openssl dhparam -out /etc/nginx/ssl/{{ domain ? domain : domainPlaceholder }}/dhparams.pem 2048
  4. Edit your nginx configuration for your site, and add the following below the ssl_protocols directive (edit it using Laravel Forge or nano /etc/nginx/sites-available/{{ domain ? domain : domainPlaceholder }}):
    ssl_dhparam /etc/nginx/ssl/{{ domain ? domain : domainPlaceholder }}/dhparams.pem;
  5. Now lets fortify the ciphers a bit. Open your nginx configuration for editing:
    nano /etc/nginx/nginx.conf
  6. Paste the following directives at the end of the html block:
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
  7. Reload nginx configuration, and exit super-user mode:
    service nginx reload
    exit

Results

If you rerun your SSL test, you should now find that you score an A or A+.

Final test results.
Final test results.