If you have been trying to secure your servers, especially those in the DMZ, then you will be familiar with SSL Labs. How many times can you just not
If you have been trying to secure your servers, especially those in the DMZ, then you will be familiar with SSL Labs. How many times can you just not seem to be able to get past a B rating because of a warning that the server supports weak diffie-hellman key exchange! I’m going to show you a very simple fix that I have used many times to get an “A” Rating.
You will most likely see the following ciphers are used by the server:
TLS_DHE_RSA_WITH_AES_256__GCM_SHA384 (0x9f) DH 1024 bits
TLS_DHE_RSA_WITH_AES_128__GCM_SHA256 (0x9e) DH 1024 bits
TLS_DHE_RSA_WITH_AES_256__CBC_SHA (0x39) DH 1024 bits
TLS_DHE_RSA_WITH_AES_128__CBC_SHA (0x33) DH 1024 bits
This is caused by the Diffie-Hellman protocol being accepted at 1024 bits. Microsoft recommends to only accept Diffie-Hellman at 2048+ bits.
Add the registry key below to the server.
Reboot and rerun the SSL Labs test.