How to change DH key size in Diffie-Hellman key exchange

book

Article ID: 130011

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction



In API Gateway 9.3 by default, less strong key exchange on ports 2124/TCP, 8443/TCP, 9443/TCP is used, such as following:
the key size (DH parameter) in the Diffie-Hellman key exchange method is set to 1024 bits or less.

As for PCIDSS requirement, it is recommended to set 2048 bits or more for the DH parameter.

How do you change the key size?

Notes:
Here is an example command to see the key size of DH parameter.
 
$ openssl s_client -connect APIGW_Server_IPaddr:2124 -tls1

Server Temp Key: DH, 1024 bits

Environment

API Gateway 9.3

Resolution

By Manage Listen Ports properties in Policy Manager, SSL/TLS Settings tab has a check box of 'Enabled TLS Versions'.
After disabling TLS 1.0 and enabling TLS 1.2, the key size of DH parameter is changed to 2048 bits length.
 
$ openssl s_client -connect APIGW_Server_IPaddr:2124 -tls1

Server Temp Key: DH, 2048 bits

Notes:
API Gateway 9.4 supports 2048 bits length for the key size of DH parameter by default