Disable SSL/TLS Diffie-Hellman Modulus 1024 Bits

When a SSL/TLS connection is established using DH <=1024 bits, an attacker could find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plain text or potentially violate the integrity of connections.

How to detect vulnerability?

Use nmap

nmap -Pn -p 443 –script ssl-dh-params <IP-address>

nmap DH 1024

 

How to fix vulnerable systems?

  1. Navigate to following path in Registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
\SChannel\KeyExchangeAlgorithms

2. Create new sub key named Diffie-Hellman, if it didn’t already exists.

DH 1024 Bits

3. Create DWORD called Enabled and set 0 value.

Disable SSL RC4 Cipher Suits on Windows Server

Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols provide integrity, confidentiality and authenticity services to other protocols that lack these features. SSL/TLS protocols use ciphers such as AES, DES, 3DES and RC4 to encrypt the content of the higher layer protocols. However, RC4 is considered as practically vulnerable and RC4 is recommended to be disabled on Server.

How to detect Vulnerability?

Download and use testssl.sh

.testssl.sh –rc4 <ip-address>

testssl.sh rc4

 

How to fix Vulnerable Systems?

  1. Navigate to following path in regedit.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\SecurityProviders\SCHANNEL\Ciphers

2. Create following RC4 sub keys if they do not exists already.

Disable RC4 Cipher on Windows Server

3. Create REG_DWORD called Enabled and set as 0 value for all the 3 RC4 folders.