Vulnerability info: https://weakdh.org/
One of the main parts of the vulnerability is that anyone sharing DHE parameters across a wide range of servers would be open to passive spying on the SSL connections after a significant, but one-time, investment.
If you are using self-hosted Discourse with SSL without any extra proxies in front:
To remedy this, Discourse will now generate unique DHE parameters the first time you bootstrap the app with SSL enabled. To fix:
cd /var/discourse ./launcher rebuild app
If you are using discourse.org hosting:
All discourse.org servers are already using a 2048-bit Diffie-Hellman group. No further action is required.
If you are hosting multiple websites on the same machine as Discourse:
Run these commands:
# Or pick a different directory $ mkdir -p /var/www/keys $ chmod 750 /var/www/keys $ openssl dhparam -out /var/www/keys/dhparams.pem 2048 $ chown www-data:www-data /var/www/keys $ sudoedit /etc/nginx/ngnix.conf ## # SSL Settings ## ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ### # Add this line ssl_dhparam /var/www/keys/dhparams.pem; ### #