SSL/TLS Weak Key Exchange Supported?

kimp78

Registered
Sep 6, 2022
4
0
1
Vancouver
cPanel Access Level
Root Administrator
Hi,
We've been running tenable.io scans on one of our sites. Recently the results have been flagging a vulnerability: SSL/TLS Weak Key Exchange supported. The description goes on to state teh Key exchanges should be at least 224 bits of security, which translates to a minimum key size of 2048 bits... We have not adjusted any of the cipher settings. Everything has been left as default.

This is WHM server with 18 cpanel sites. My concerns is if I edit the cipher and protocol list to disable these "weak" exchanges, what impact will that have on my other sites and the server itself. If anyone could spare a little time just to offer a little clarity and advice I would really appreciate it!

Thank you
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Hey there! By default, there aren't any keys in modern cPanel installations that would be smaller than 2048. This can be seen in the WHM >> SSL/TLS Configuration page, where 2048 is the lowest option available.

Did they specifically say this was part of the Apache connection? If so, there are some more thoughts here about the actual ciphers and what "strong" can be for various situations:

 

kimp78

Registered
Sep 6, 2022
4
0
1
Vancouver
cPanel Access Level
Root Administrator
Hi cPREex,

They did not specifically say if it was a part of the the Apache connection, only this:

The remote host supports SSL/TLS key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

Solution
Reconfigure the affected application, if possible to avoid the use of weak key exchange. See Also Transport Layer Security (TLS) Parameters

Protocol Cipher Suite Name (RFC) ------------------------------------
TLS 1.3 TLS_AES_128_GCM_SHA256
TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256


I'm a little confused by it all, as the first thing I did was login to see that 2048 bit keys were being used. So I began to question if it was the 128 AES that the scan is complaining about.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Thanks for that - it definitely could be the AES options, although I'm not going to claim that I have every single cipher option memorized. It may just be a matter of examining the cipher suite, looking up each option, and removing ones that don't meet their requirements.