logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: TLS/SSL sever using commonly used prime numbers
Author
danielc



Joined: 15 Jul 2022
Posts: 3
Location: HK

PostPosted: Mon 03 Oct '22 13:48    Post subject: TLS/SSL sever using commonly used prime numbers Reply with quote

Hello,

Our apache server have been audited and the following messages have been given:

Quote:
Vulnerability Type
TLS/SSL sever using commonly used prime numbers

Description of Vulnerability
The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker may be able to deduce the shared secret for the handshake and decrypt the session.

Suggested Actions
It is recommended to use a 2048-bit or stronger Diffie-Hellman group.


Vulnerability Solution:
Configure the server to use a randomly generated Diffie-Hellman group. It's recommend that you generate a 2048-bit group. The simplest way of generating a new group is to use OpenSSL:
openssi dhparam -out dhparams.pem 2048
To use the DH parameters in newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify your DH params file as follows:
SSLOpenSSLConfCmd DHParameters "(path to dhparams.pem)*
If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated



Give that our Apache version is only 2.4.6 currently, what method should we actually use for solving this problem?

Should we use
SSLDHParametersFile "/PATH/TO/YOUR/CERTIFICATE/FILES/dhparams.pem" or something else?

Thanks
Daniel
Back to top
danielc



Joined: 15 Jul 2022
Posts: 3
Location: HK

PostPosted: Mon 03 Oct '22 13:56    Post subject: Reply with quote

Additionally, It looks like to use SSLDHParametersFile, it needs to be patched

https://bz.apache.org/bugzilla/show_bug.cgi?id=49559

But I am not sure if that fix meanss we can use SSLDHParametersFile in 2.4.6, or we should use something else...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7354
Location: Germany, Next to Hamburg

PostPosted: Tue 04 Oct '22 13:14    Post subject: Reply with quote

use the following


Code:

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1
Back to top


Reply to topic   Topic: TLS/SSL sever using commonly used prime numbers View previous topic :: View next topic
Post new topic   Forum Index -> Apache