SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Damian2Cubed

Member
Sep 28, 2018
15
1
3
Ireland
cPanel Access Level
Root Administrator
Hey guys,

One of the sites hosted on WHM failed PCI.

THREAT:
The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.
I read good few topics about it and I understand the problem but I don't know how to fix it.
Can someone explain step by step what I need to do to fix this vulnerability?

Hello,

Here's a response from one of our technical analysts on a recent support ticket regarding this vulnerability:

I would recommend, at a minimum, upgrading to Apache 2.4. It appears that by default, Apache 2.4.7 and above do not serve Diffie-Hellman parameters smaller than 2048 bits:

mod_ssl - Apache HTTP Server Version 2.4

Additionally, you could also generate the custom Diffie-Hellman parameters and provide them directly to OpenSSL globally by adding the directive suggested by the Logjam site you linked to:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

in one of the Apache includes, which can be edited through WHM:

Include Editor - Documentation - cPanel Documentation