Diffie-Hellman parameters
The DHE (finite-field Diffie-Hellman) ciphers in the Intermediate and Old profiles need a set of DH parameters. Server defaults have historically been weak (1024-bit), which the Logjam attack exploited. Generate or download a strong, standardized group — Mozilla publishes the RFC 7919 ffdhe2048 group at ssl-config.mozilla.org/ffdhe2048.txt — and reference it with ssl_dhparam (nginx) or SSLOpenSSLConfCmd DHParameters (Apache). The Modern profile uses only ECDHE, so it needs no DH parameter file at all.