how to disable Diffie-Hellman

limpopo

• March 17, 2023 09:31

I get the task- disable DIFFIE-HELLMAN EPHEMERAL KEY EXCHANGE DOS VULNERABILITY (SSL/TLS, D(HE)ATER I open settings scripts2/globalapachesetup, navigate to section SSL Cipher Suite here is values ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 then I remove keys DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384: then I click save and rebuild and restart apache then I run command $ openssl s_client -connect ip:443 -cipher "EDH" and it connects where is my mistake?

• 

  cPRex Jurassic Moderator

  • March 17, 2023 15:53

  Hey there! Can you let us know the specific error you're receiving from the scanning tool? That might be helpful in narrowing this down a bit.

  0
• 

  limpopo

  • March 17, 2023 20:19

  what mean about scanning tool? my security department gave me the task-disable DIFFIE-HELLMAN EPHEMERAL. they gave such description-The remote SSL/TLS server is supporting Diffie-Hellman ephemeral (DHE) Key Exchange algorithms and thus could be prone to a denial of service (DoS) vulnerability. The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

  0
• 

  cPRex Jurassic Moderator

  • March 19, 2023 02:49

  Can you get some more specific details from your security department about what issues they are seeing? Every cipher with "DHE" is part of Diffie Hellman, so if you remove all those you won't have any options left. It would be good to know the specific error they are reporting so we can recommend an action to take.

  0
• 

  limpopo

  • March 19, 2023 05:59

  they say just remove Diffie Hellman [QUOTE] REMEDIATION "DHE key exchange should be disabled if no other mitigation mechanism can be used and either elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange is supported by the clients. The fact that RSA key exchange is not forward secret should be considered. " Limit the maximum number of concurrent connections in e.g. the configuration of the remote server. For Postfix this limit can be configured via 'smtpd_client_new_tls_session_rate_limit' option, for other products please refer to the manual of the product in question on configuration possibilities.
  

  0
• 

  cPRex Jurassic Moderator

  • March 19, 2023 16:03

  Thanks for the additional details. This sounds like they are talking about the mailserver, and not Apache. This would be adjusted in WHM >> Mailserver Configuration, and you'd just want to remove any ciphers that contain the "EDHC" text. It would be a good idea to back up your original cipher list just in case.

  0

Please sign in to leave a comment.