Symptoms
Online Store hosts allow SSL/TLS connections with one or more Diffie-Hellman groups that are 1024 bits or fewer. Diffie-Hellman key exchange is a cornerstone of applied cryptography, but in practice it is less secure than widely believed. According to a security notification posted at https://weakdh.org/, we recommend using Diffie-Hellman groups that are 2048 bits or stronger.
Resolution
Use a 2048-bit Diffie-Hellman group.
Run the following command to determine the path to the server.crt file:
cat /etc/httpd/conf.d/0ssl.conf | grep SSLCertificateFile
Generate a 2048-bit Diffie-Hellman group:
openssl dhparam -out dhparams.pem 2048
Add a Diffie-Hellman group to the server.crt file obtained in step 1 ('/etc/httpd/conf/ssl.crt/server.crt' in this example):
cat ./dhparams.pem >> /etc/httpd/conf/ssl.crt/server.crt
Restart the web server:
service httpd restart
To make sure that your changes were applied, issue the following command:
openssl s_client -connect localhost:443 -cipher "EDH" | grep "Server Temp Key"