1

I have the following Diffie-Hellman ciphers on one of my servers

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256     
TLS_DHE_DSS_WITH_AES_256_CBC_SHA        
TLS_DHE_DSS_WITH_AES_128_CBC_SHA      
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

I have been asked to disable any and al Diffie-Hellman moduli of less than 2048 bits

I've managed to find out that found the out that:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

have a bit length of 1024 but I'm really struggling to find what the actual bit length is of the first 4 ciphers that I mentioned..I've been searching the internet but I just can't find anything?

Am I missing anything? Any help gratefully received

limeeattack
  • 253
  • 1
  • 13
Mick8695
  • 111
  • 1

1 Answers1

1

Am I missing anything?

Actually, within the TLS protocol, the DH group used is not tied to the ciphersuite (even for ciphersuites that specify the use of DH); instead, those are negotiated separately (for DHE ciphersuites, the server proposes it within the ServerKeyExchange handshake).

I don't know what configurability your implementation has with regards to what DH groups is proposes/accepts - however, disabling specific ciphersuites may not be the correct method. Your implementation might have a built-in assumption that "for this specific ciphersuite, we always use that specific DH group" - that would not be my first guess.

poncho
  • 154,064
  • 12
  • 239
  • 382