SSL/TLS Weak Key Exchange Supported?

[kimp78]

Hi,
We've been running tenable.io scans on one of our sites. Recently the results have been flagging a vulnerability: SSL/TLS Weak Key Exchange supported. The description goes on to state teh Key exchanges should be at least 224 bits of security, which translates to a minimum key size of 2048 bits... We have not adjusted any of the cipher settings. Everything has been left as default.

This is WHM server with 18 cpanel sites. My concerns is if I edit the cipher and protocol list to disable these "weak" exchanges, what impact will that have on my other sites and the server itself. If anyone could spare a little time just to offer a little clarity and advice I would really appreciate it!

Thank you

 

[cPRex]

Hey there! By default, there aren't any keys in modern cPanel installations that would be smaller than 2048. This can be seen in the WHM >> SSL/TLS Configuration page, where 2048 is the lowest option available.

Did they specifically say this was part of the Apache connection? If so, there are some more thoughts here about the actual ciphers and what "strong" can be for various situations:

SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.5

 

[kimp78]

Hi cPREex,

They did not specifically say if it was a part of the the Apache connection, only this:

The remote host supports SSL/TLS key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

Solution
Reconfigure the affected application, if possible to avoid the use of weak key exchange. See Also Transport Layer Security (TLS) Parameters

Protocol Cipher Suite Name (RFC) ------------------------------------
TLS 1.3 TLS_AES_128_GCM_SHA256
TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

I'm a little confused by it all, as the first thing I did was login to see that 2048 bit keys were being used. So I began to question if it was the 128 AES that the scan is complaining about.

 

[cPRex]

Thanks for that - it definitely could be the AES options, although I'm not going to claim that I have every single cipher option memorized. It may just be a matter of examining the cipher suite, looking up each option, and removing ones that don't meet their requirements.

 

[kimp78]

Is there a way to remove the cipher suites just for a specific cpanel account rather than removing it server wide from WHM?

 

[cPRex]

Within WHM, no, that's not possible. You technically can with Apache, although you'd be customizing each vhost and I'm not sure that's a good idea from an administration perspective.

 

[kimp78]

Thanks cPRex! I'd rather not make this change server wide. Especially when I run other security scanners that show no issue with the cipher suite at all.