LinkedIn
Twitter
1 ACCEPTED SOLUTION
It sounds to me that your vhost is supporting ciphers and maybe protocols you don't want it to support.
In that case, restrict the ciphers and protocols using the appropriate properties on the vhost. You didn't show your vhost configuration, so I'm guessing you didn't restrict things at all.
See the doc here.
It sounds to me that your vhost is supporting ciphers and maybe protocols you don't want it to support.
In that case, restrict the ciphers and protocols using the appropriate properties on the vhost. You didn't show your vhost configuration, so I'm guessing you didn't restrict things at all.
See the doc here.
Thanks, Dino
I have performed a sslscan to list out supported ciphers on the virtual host and noted the DHE 1024 bits(Weak Cipher) attached the screenshot below.
SSLLabs scan will downgrade our results and has “B” rated because it is subject to weak Diffie-Hellman key exchange parameters leading to Logjam attack, CVE-2015-4000
As you suggested, I have done a POC on this in a test environment. I restrict the ciphers on the vhost along with !DHE and rescanned with SSLLabs this time it was rated “A” and attached screenshot as shown in the below.
<strong><Propertyname="ssl_ciphers">HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!DHE</Property></strong>
If I restrict DHE ciphers on a virtual host level, client connection will not happen(fail) for those clients rely on below DHE ciphers.
DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA: DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA
Do I need to raise a support ticket with apigee to consider adding support for 2048-bit DHE or stronger Diffie-Hellman groups as suggested in Logjam attack, CVE-2015-4000 and the below reference link
https://weakdh.org/sysadmin.html
Reagrds
Nandeesha
