Well, there’s another SSL vulnerability out in the wild. Technically it isn’t really a vulnerability, its just a “hole” inside of the protocol that we rely on during the depreciation of SSL3 and the phasing of SSL2.
Unfortunately, most modern web-servers are vulnerable to this attack because the protocol affected is widely used.
In this guide, I’ll be covering what to do to secure your server on CentOS 6 and 7.
How to secure your server
There are two ways to secure your server. In this tutorial, I will only be covering the first option.
- Generate a unique key group.
- Disable SSL export keys.
What you’ll need to do
Check whether or not your server is vulnerable by using the Qualys SSL checker. If your server is vulnerable, there will be a message at the top of the page.
Once you’ve confirmed that your server is vulnerable, enter your NGINX installation directory.
cd /etc/nginx/
mkdir keygroup
cd keygroup
Run the following command to generate a key group.
openssl dhparam -out dhsecure.pem 2048
Add the new key group to your NGINX configuration.
cd /etc/nginx/
vi .conf
Continuing on, we must add the ssl_dhparam ...
line of code that’s seen below inside of every SSL server block. Update all of your SSL server blocks accordingly.
server {
listen 443 ssl;
...
location / {
...
ssl_dhparam /etc/nginx/keygroup/dhsecure.pem
...
}
Exit the configuration and reload NGINX.
service nginx reload
Test your server again with the SSL checker. Your server will no longer be vulnerable to the attack.
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article