Disabling Diffie-Hellman on Apache Servers

You can edit keyword strings in the ssl.conf or httpd.conf files to disable Diffie-Hellman on Apache Servers.

About this task

This task provides the procedure to disable Diffie-Hellman on Apache Servers by editing the SSLCipherSuite config option string in the ssl.conf or httpd.conf files.

Procedure

  1. In Apache's conf directory, locate file: ssl.conf or httpd.conf
  2. Look for the SSLCipherSuite keyword string value:
    
    To disable Diffie-Hellman, please insert "!EDH:!DHE:!DH:!ECDH" after the "ALL:" in the cipher spec.
    This is an example and you will need to make sure you include it to all the variants of Diffie-Hellman to disable it on your web server. 
    For additional info: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
    
    
  3. Repeat this edit in every SSL config section, if you are not using one global section.
  4. Save the file.
  5. Restart the web server for the changes to take effect.