Symptoms

Online Store hosts allow SSL/TLS connections with one or more Diffie-Hellman groups that are 1024 bits or fewer. Diffie-Hellman key exchange is a cornerstone of applied cryptography, but in practice it is less secure than widely believed. According to a security notification posted at https://weakdh.org/, we recommend using Diffie-Hellman groups that are 2048 bits or stronger.

Resolution

Use a 2048-bit Diffie-Hellman group.

  1. Run the following command to determine the path to the server.crt file:

    cat /etc/httpd/conf.d/0ssl.conf | grep SSLCertificateFile
    
  2. Generate a 2048-bit Diffie-Hellman group:

    openssl dhparam -out dhparams.pem 2048
    
  3. Add a Diffie-Hellman group to the server.crt file obtained in step 1 ('/etc/httpd/conf/ssl.crt/server.crt' in this example):

    cat ./dhparams.pem >> /etc/httpd/conf/ssl.crt/server.crt
    
  4. Restart the web server:

    service httpd restart
    

To make sure that your changes were applied, issue the following command:

    openssl s_client -connect localhost:443 -cipher "EDH" | grep "Server Temp Key"

Internal content