Securing NGINX From The Logjam Attack on CentOS

Updated on July 8, 2015
Securing NGINX From The Logjam Attack on CentOS header image

Well, there's another SSL vulnerability out in the wild. Technically it isn't really a vulnerability, its just a "hole" inside of the protocol that we rely on during the depreciation of SSL3 and the phasing of SSL2.

Unfortunately, most modern web-servers are vulnerable to this attack because the protocol affected is widely used.

In this guide, I'll be covering what to do to secure your server on CentOS 6 and 7.

How to secure your server

There are two ways to secure your server. In this tutorial, I will only be covering the first option.

  1. Generate a unique key group.
  2. Disable SSL export keys.

What you'll need to do

Check whether or not your server is vulnerable by using the Qualys SSL checker. If your server is vulnerable, there will be a message at the top of the page.

Once you've confirmed that your server is vulnerable, enter your NGINX installation directory.

cd /etc/nginx/
mkdir keygroup
cd keygroup

Run the following command to generate a key group.

openssl dhparam -out dhsecure.pem 2048

Add the new key group to your NGINX configuration.

cd /etc/nginx/
vi .conf

Continuing on, we must add the ssl_dhparam ... line of code that's seen below inside of every SSL server block. Update all of your SSL server blocks accordingly.

server {
listen 443 ssl;
...
location / {
...
ssl_dhparam /etc/nginx/keygroup/dhsecure.pem
...
}

Exit the configuration and reload NGINX.

service nginx reload

Test your server again with the SSL checker. Your server will no longer be vulnerable to the attack.