Improving Qualys SSL server test results regarding weak Diffie-Hellman and Logjam attack

Followup on earlier Improving Qualys SSL server test results regarding Poodle attack and SHA1, the following should secure servers I use (openssh/nginx/exim/dovecot on Debian/Devuan) against Logjam attack on TLS protocol tied to weak Diffie-Hellman.

OpenSSH shell server

Run the following and look for the line KEX algorithms. It is fine unless diffie-hellman-group1-sha1 shows up.

ssh -vvv serverhostname

Debian default is ok.

Nginx HTTPs server

cd /etc/ssl
openssl dhparam -out dhparams.pem 2048

Edit /etc/nginx/nginx.conf:

# SSL Settings

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;


invoke-rc.d nginx restart

Dovecot IMAPs server

Edit /etc/dovecot/conf.d/10-ssl.conf:

# How often to regenerate the SSL parameters file. Generation is quite CPU      
# intensive operation. The value is in hours, 0 disables regeneration           
# entirely.                                                                     
ssl_parameters_regenerate = 168h
ssl_dh_parameters_length = 2048

# SSL protocols to use                                                          
ssl_protocols = !SSLv3  # note: add also !SSLv2 if openssl < 1.1

# SSL ciphers to use                                                            


invoke-rc.d dovecot restart

Exim SMTPs server

In my case, the relevant file /etc/exim4/conf.d/main/00_stalag13-config_0ssl is managed by my -exim package.

# deactivate outdated SSLv3 (compiled with TLS)
# deactivate weak diffie-hellman
tls_require_ciphers = NORMAL:!DHE-RSA:!DHE-DSS:!DHE-PSK:!ANON-DH:!MD5:!SRP:!PSK:!VERS-SSL3.0


invoke-rc.d exim restart

This should gives a A rating as of today, except regarding possibly self-signed certificate. There is a convenient tool to check Logjam vulnerability at