The Diffie-Hellman Fix

Securing Diffie-Hellman for TLS to Prevent Log-Jam Attacks


The default Diffie-Hellman deployed on nginx servers uses a common 1024-bit prime. This can make it somewhat vulnerable to log-jam attacks. We want our SSL-cert websites to be as secure as possible.


This complete process is customized to your domain name:   

Server Test 

Perform a test of your server and its SSL certificate (each web site should have one these days). You will likely find a warning like this on the test result:

Initial test results.
Initial test results.


For the purposes of guide we are assuming you are running your server on Laravel Forge, and have a ssl certificate installed.

  1. SSH into your server:
    ssh forge@{{ domain ? domain : domainPlaceholder }}
  2. Establish super-user access (you will be prompted for your forge sudo password):
    sudo -i
  3. Create a new, stronger DH Group (this will take a minute or two):
    openssl dhparam -out /etc/nginx/ssl/{{ domain ? domain : domainPlaceholder }}/dhparams.pem 2048
  4. Edit your nginx configuration for your site, and add the following below the ssl_protocols directive (edit it using Laravel Forge or nano /etc/nginx/sites-available/{{ domain ? domain : domainPlaceholder }}):
    ssl_dhparam /etc/nginx/ssl/{{ domain ? domain : domainPlaceholder }}/dhparams.pem;
  5. Now lets fortify the ciphers a bit. Open your nginx configuration for editing:
    nano /etc/nginx/nginx.conf
  6. Paste the following directives at the end of the html block:
    ssl_prefer_server_ciphers on;
  7. Reload nginx configuration, and exit super-user mode:
    service nginx reload


If you rerun your SSL test, you should now find that you score an A or A+.

Final test results.
Final test results.