Well, there's another SSL vulnerability out in the wild. Technically it isn't really a vulnerability, its just a "hole" inside of the protocol that we rely on during the depreciation of SSL3 and the phasing of SSL2.
Unfortunately, most modern web-servers are vulnerable to this attack because the protocol affected is widely used.
In this guide, I'll be covering what to do to secure your server on CentOS 6 and 7.
There are two ways to secure your server. In this tutorial, I will only be covering the first option.
Generate a unique key group.
Disable SSL export keys.
Check whether or not your server is vulnerable by using the Qualys SSL checker. If your server is vulnerable, there will be a message at the top of the page.
Once you've confirmed that your server is vulnerable, enter your NGINX installation directory.
cd /etc/nginx/
mkdir keygroup
cd keygroup
Run the following command to generate a key group.
openssl dhparam -out dhsecure.pem 2048
Add the new key group to your NGINX configuration.
cd /etc/nginx/
vi .conf
Continuing on, we must add the ssl_dhparam ...
line of code that's seen below inside of every SSL server block. Update all of your SSL server blocks accordingly.
server {
listen 443 ssl;
...
location / {
...
ssl_dhparam /etc/nginx/keygroup/dhsecure.pem
...
}
Exit the configuration and reload NGINX.
service nginx reload
Test your server again with the SSL checker. Your server will no longer be vulnerable to the attack.