Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: TLS/SSL sever using commonly used prime numbers |
|
Author |
|
danielc
Joined: 15 Jul 2022 Posts: 3 Location: HK
|
Posted: Mon 03 Oct '22 13:48 Post subject: TLS/SSL sever using commonly used prime numbers |
|
|
Hello,
Our apache server have been audited and the following messages have been given:
Quote: | Vulnerability Type
TLS/SSL sever using commonly used prime numbers
Description of Vulnerability
The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker may be able to deduce the shared secret for the handshake and decrypt the session.
Suggested Actions
It is recommended to use a 2048-bit or stronger Diffie-Hellman group.
Vulnerability Solution:
Configure the server to use a randomly generated Diffie-Hellman group. It's recommend that you generate a 2048-bit group. The simplest way of generating a new group is to use OpenSSL:
openssi dhparam -out dhparams.pem 2048
To use the DH parameters in newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify your DH params file as follows:
SSLOpenSSLConfCmd DHParameters "(path to dhparams.pem)*
If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated
|
Give that our Apache version is only 2.4.6 currently, what method should we actually use for solving this problem?
Should we use
SSLDHParametersFile "/PATH/TO/YOUR/CERTIFICATE/FILES/dhparams.pem" or something else?
Thanks
Daniel |
|
Back to top |
|
danielc
Joined: 15 Jul 2022 Posts: 3 Location: HK
|
Posted: Mon 03 Oct '22 13:56 Post subject: |
|
|
Additionally, It looks like to use SSLDHParametersFile, it needs to be patched
https://bz.apache.org/bugzilla/show_bug.cgi?id=49559
But I am not sure if that fix meanss we can use SSLDHParametersFile in 2.4.6, or we should use something else... |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Tue 04 Oct '22 13:14 Post subject: |
|
|
use the following
Code: |
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1
|
|
|
Back to top |
|
|
|
|
|
|