Messaging Gateway and SMTP TLS Diffie-Hellman key length
search cancel

Messaging Gateway and SMTP TLS Diffie-Hellman key length

book

Article ID: 174623

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Versions of Messaging Gateway (SMG) prior to SMG 10.7.0 may use a 1024 bit temporary key for secure Diffie-Hellman key exchange during TLS negotiation. More recent security requirements do not consider a 1024 bit temporary key to be sufficiently secure and demand a temporary key length of 2048 bits or more.
 

Resolution

This issue of long term use DH key paramaters has been resolved with SMG 10.7.4 release which allows the recreation of more secure Diffie-Hellman (DH) keys using the following CLI command:

smg> mta-control all regen-dh-keys

Note: For backward compatability with older TLS implementations Messaging Gateway will do key negotiation using a 1024 bit DH key if the connecting client specifically requests this key length. In general the connecting client will request a larger key length if it can support it. This can cause some vulnerablity scanners to flag SMG's use of a 1024 bit key as an issue but this key length is only used at the request of the connecting client with the idea that, if that is the best the connecting client can support, weak key exchange is better than failing TLS negotiation and the message potentially being delivered in plain text.

Disabling DH Key Exchange

To disable DH key exchange you can run the following command on the SMG admin command line

smg> mta-control all set-tls-ciphers 'ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP:-eNULL:-aNULL:!DH'

Broadcom support cannot provide assistance with TLS negotiation issues caused by changes to the default cipher suite list other than to recommend that the ciphersuite list be returned to the defautl value:

smg> mta-control all set-tls-ciphers default