Server Supports Weak Diffie-Hellman Key Exchange

Server Supports Weak Diffie-Hellman Key Exchange

If you have been trying to secure your servers, especially those in the DMZ, then you will be familiar with SSL Labs. How many times can you just not

Sophos Anti-Virus Secrets
Changing PWDLASTSET in Active Directory
IIS with ASP.NET support check

If you have been trying to secure your servers, especially those in the DMZ, then you will be familiar with SSL Labs. How many times can you just not seem to be able to get past a B rating because of a warning that the server supports weak diffie-hellman key exchange! I’m going to show you a very simple fix that I have used many times to get an “A” Rating.

You will most likely see the following ciphers are used by the server:
TLS_DHE_RSA_WITH_AES_256__GCM_SHA384 (0x9f) DH 1024 bits
TLS_DHE_RSA_WITH_AES_128__GCM_SHA256 (0x9e) DH 1024 bits
TLS_DHE_RSA_WITH_AES_256__CBC_SHA (0x39) DH 1024 bits
TLS_DHE_RSA_WITH_AES_128__CBC_SHA (0x33) DH 1024 bits

Issue:
This is caused by the Diffie-Hellman protocol being accepted at 1024 bits. Microsoft recommends to only accept Diffie-Hellman at 2048+ bits.

Solution:
Add the registry key below to the server.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

Reboot and rerun the SSL Labs test.

 

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of