search cancel

How to remove Diffie Hellman from Tunnel server cipher list

book

Article ID: 134969

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Diffie Hellman key distribution can be disabled by providing a custom cipher string in Tunnel Server config.


Environment

Any hub version

Resolution

Select 'Custom' in Security Settings in the Tunnel Server Config.


For hub versions using OpenSSL 1.0.2, input below cipher string:


HIGH:!DH

or

DEFAULT:!DH


For hub versions using OpenSSL 1.0.1, input below cipher string:


HIGH:!DH:!EXP:!NULL

or

DEFAULT:!DH:!EXP:!NULL:!LOW


You can verify this by running the openssl commands in a client server:


openssl s_client -connect {Tunnel_server_IP}:48003 -cipher "EDH"

openssl s_client -connect {Tunnel_server_IP}:48003  -cipher "DHE"


You shall see below information returned:


---------------------------------

CONNECTED(00000003)

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 137 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

....

---------------------------------


This indicates requested ciphers are not supported on the Tunnel server port. After removing the -cipher flag,   a Non-Diffie Hellman cipher will be used like in this case 'AES256-GCM-SHA384':


SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-GCM-SHA384

 



Additional Information

OpenSSL 1.0.2 Ciphers:

https://www.openssl.org/docs/man1.0.2/man1/ciphers


OpenSSL 1.0.1 Ciphers:

https://www.openssl.org/docs/man1.1.0/man1/ciphers.html