In this guide we take additional steps to secure the website and reach PCI compliance.

Prerequisites

• Using the High Tech Bridge SSL/TLS Security Test: https://www.htbridge.com/ssl/

Report

These issues have been found:

Diffie-Hellman parameter's size is only 1024 bits

The Diffie-Hellman parameter's size is only 1024 bits. A longer one must be generated to prevent Logjam vulnerability

Solution:

Genarate a 2048 bit Diffie-Hellman pair:

$ sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048

Add this line in /etc/nginx/sites-available/cms:

    ssl_dhparam /etc/nginx/dhparams.pem;

Restart Nginx:

$ sudo nginx -t && sudo systemctl restart nginx

Download the report in PDF form. You should score an A+ for PCI DSS after this.

References

• https://weakdh.org/
• https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
• https://letsencrypt.org/certificates/