Diffie Hellman key distribution can be disabled by providing a custom cipher string in Tunnel Server config.
Any hub version
Select 'Custom' in Security Settings in the Tunnel Server Config.
For hub versions using OpenSSL 1.0.2, input below cipher string:
HIGH:!DH
or
DEFAULT:!DH
For hub versions using OpenSSL 1.0.1, input below cipher string:
HIGH:!DH:!EXP:!NULL
or
DEFAULT:!DH:!EXP:!NULL:!LOW
You can verify this by running the openssl commands in a client server:
openssl s_client -connect {Tunnel_server_IP}:48003 -cipher "EDH"
openssl s_client -connect {Tunnel_server_IP}:48003 -cipher "DHE"
You shall see below information returned:
---------------------------------
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 137 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
....
---------------------------------
This indicates requested ciphers are not supported on the Tunnel server port. After removing the -cipher flag, a Non-Diffie Hellman cipher will be used like in this case 'AES256-GCM-SHA384':
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
OpenSSL 1.0.2 Ciphers:
https://www.openssl.org/docs/man1.0.2/man1/ciphers
OpenSSL 1.0.1 Ciphers:
https://www.openssl.org/docs/man1.1.0/man1/ciphers.html