See https://weakdh.org for the problem – 1024 bit Diffie-Hellman keys are potentially breakable (the ‘logjam’ vulnerability). This can be fixed in Apache 2.4 by pointing it at a custom key, but up to recently ver 2.2 was vulnerable. The issue was fixed in apache 2.2.22-13+deb7u5, which allows a custom DH key to be appended to the server certificate. To use this in Debian 7:
Update to apache 2.2.22-13+deb7u5 or higher.
Generate a new Diffie-Hellman group using
openssl dhparam -out dhparams.pem 2048
Find where the appropriate server certificate file is – standard debian setup specifies this in
/etc/apache2/sites-available/default-ssl
Append the DH group to the server certificate
cat dhparams.pem >> server_certificate.pem
The resulting file should look like
-----BEGIN CERTIFICATE----- stuff -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- more stuff -----END DH PARAMETERS-----
Restart Apache.
Checking this using the https://www.ssllabs.com/ssltest/ shows DH 2048 bits
