This will fix security vulnerability called Logjam. In short the vulnerability allow man-in-the-middle attack by downgrading TLS connection and manipulating data. You can find full disclosure here.
The solution bellow is just for Nginx, because currently I don’t Apache anywhere right now and I don’t care, but should be pretty easy to do on Apache as well. Also you should fix all other services which are using SSL like FTP, Mail etc.
First check if you have the directory
If you don’t have it, you will need to create it, and change it’s permissions:
mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private
Then you need to create DH parameter file, and change the permissions:
cd /etc/ssl/private openssl dhparam -out dhparams.pem 2048 chmod 600 dhparams.pem
Be patient as this might take a little while, and will consume your CPU.
It was few minutes in my case.
Now you need to edit few things in the nginx config file:
Replace or add the fallowing to the httpd section:
and then add the fallowing two lines:
ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/private/dhparams.pem;
Run configtest to see if you forgot some semicolon:
service nginx configtest
and if it says it is OK, you can restart it.