When using a security certificate, many are confident in 100% protection of their web server, but we want to tell that there is a vulnerability in the security certificate. It cannot be called an ordinary vulnerability; rather, it is a small hole in the protocol itself during depreciation of SSL3 and a phased transition to the use of SSL2.

Today there are many web services that are vulnerable to this Logiam attack. We will try to understand how it can be done to secure your server. We will be talking about servers with the operating system CentOS, version 6 and 7.

Specific actions

First, check to see if your server is actually vulnerable by checking Qualys SSL. If your server is vulnerable, there will be a message at the top of the page. After you confirm that the server is vulnerable, enter the NGINX installation directory

cd /etc/nginx/
mkdir keygroup
cd keygroup

Next, you need to run the following command to create a key group

openssl dhparam -out dhsecure.pem 2048

The next step is to add a new key group to your NGINX configuration

cd /etc/nginx/
vi .conf

Next, add ssl_dhparam ... a line of code that is visible below inside each SSL server block and then update all server blocks. Update all blocks of your SSL server accordingly

server {
listen 443 ssl;
...
location / {
...
ssl_dhparam /etc/nginx/keygroup/dhsecure.pem
...
}

Then a reboot of the NGINX web server should follow

service nginx reload

Finally, test the server again with SSL certificate verification