Disable SSL/TLS Diffie-Hellman Modulus 1024 Bits

When a SSL/TLS connection is established using DH <=1024 bits, an attacker could find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plain text or potentially violate the integrity of connections.

How to detect vulnerability?

Use nmap

nmap -Pn -p 443 –script ssl-dh-params <IP-address>

nmap DH 1024

 

How to fix vulnerable systems?

  1. Navigate to following path in Registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
\SChannel\KeyExchangeAlgorithms

2. Create new sub key named Diffie-Hellman, if it didn’t already exists.

DH 1024 Bits

3. Create DWORD called Enabled and set 0 value.