logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: weak Diffie-Hellman (DH) ciphers problem
Author
leo.brazil



Joined: 23 Nov 2023
Posts: 3
Location: Brazil

PostPosted: Tue 28 Nov '23 21:42    Post subject: weak Diffie-Hellman (DH) ciphers problem Reply with quote

Dear Apachers, I hope you are doing well.

I have an Windows Server 2019 64x 8GB RAM Standard as the local for the Apache/2.4.58 (Win64) OpenSSL/3.1.3 mod_fcgid/2.3.10-dev, in which is running a Yii2 Framework.

No matter what I try, the SSL Labs test keep showing "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.".

I've already created a dhparam.pem of 2048 bits, then 4096 bits, I chose the "Best Practices" template in IIS Crypto and restarted the Windows, then "Strict" template and nothing.

I tried to set specific ciphers TLS 1.2 in the Edit Group Policy and applied "gpupdate /force" and nothing. I tried the following ciphersuites in Apache:

1) SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

2) SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

3) SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

Can anybody shows me a light? Thanks!
Back to top
axel.kam



Joined: 11 Jul 2023
Posts: 7

PostPosted: Wed 29 Nov '23 0:46    Post subject: Re: weak Diffie-Hellman (DH) ciphers problem Reply with quote

leo.brazil wrote:
No matter what I try


You can try this config:
https://ssl-config.mozilla.org/#server=apache&version=2.4.58&config=intermediate&openssl=3.1.3&hsts=false&ocsp=false&guideline=5.7
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7374
Location: Germany, Next to Hamburg

PostPosted: Wed 29 Nov '23 10:33    Post subject: Reply with quote

You can find the current A+ config here https://github.com/JBlond/debian_build_apache24/blob/master/ssl.conf

Only change the cache path to

Code:

SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
Back to top
leo.brazil



Joined: 23 Nov 2023
Posts: 3
Location: Brazil

PostPosted: Thu 30 Nov '23 16:34    Post subject: Re: weak Diffie-Hellman (DH) ciphers problem Reply with quote

Thank you very much for your advice. I used and increased some good settings like "HTTP Strict Transport Security (HSTS) with long duration deployed on this server."

Unfortunately, the problem persists:
"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." (SSL Labs Test) and,
LOGJAM: no DH EXPORT ciphers, no common prime but Unknown DH group has only 1024 bits, (testssl.com) but I'm not able to find this 1024 DH cipher. It's supposed to do not exists due to my settings below.

Below my current httpd-ssl.conf:


Listen 443 https
SSLUseStapling On
SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_gcache_data(512000)"
SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(32768)"
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLCompression Off
SSLHonorCipherOrder On
SSLOpenSSLConfCmd DHParameters "${SRVROOT}/conf/ssl/dhparam.pem"
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!SHA:!DH:!MEDIUM:!LOW:!eNULL:!EXP
SSLSessionTickets off


Also, in httpd-vhosts.conf, I included:
# Protocols h2 http/1.1 (aleready enabled)
Header always set Strict-Transport-Security "max-age=31536000; preload" (success, increased security)

Besides, I disabled using IIS Crypto the Diffie-Hellman key-Exchanges and MD5 and SHA Hashes, followed by a windows reboot. I added a DWORD "ClientMinKeyBitLength" with size 800 (2048) in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman and I updated the SCH_USE_STRONG_CRYPTO through DWORDS SchUseStrongCrypto with size 1 in both places: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319, and restarted both Windows Server and Apache but still problem persists. Does anybody here already had the same problem and could give me a light?

Thaks, Leo.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7374
Location: Germany, Next to Hamburg

PostPosted: Fri 01 Dec '23 9:09    Post subject: Reply with quote

You need to change the SSLCipherSuite setting.


Code:

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
Back to top


Reply to topic   Topic: weak Diffie-Hellman (DH) ciphers problem View previous topic :: View next topic
Post new topic   Forum Index -> Apache