Mitigate vulnerable to LogJam SSL/TLS attack on Apache

[emAmazed]

Reference: https://alas.aws.amazon.com/ALAS-2015-550.html

1. Create dhparam pem file: openssl dhparam -out dhparams.pem 2048

2. Add the following line to the config: SSLOpenSSLConfCmd DHParameters <location-of-pemfile>

   note: SSLOpenSSLConfCmd option was added in apache 2.4.8 and later, using OpenSSL 1.0.2 or later.

3. Modify the line in config to ensure the SSLProtocol and SSLCipherSuite are set: SSLProtocol all -SSLv2 -SSLv3

4. Add the following CipherSuite to config:

   SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

5. SSLHonorCipherOrder on
6. Restart apache service.
7. Verify if the server is vulnerable to Logjam https://tools.keycdn.com/logjam