Security Vulnerability - Diffie-Hellman group smaller than 2048 bits

book

Article ID: 223482

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

CA-IDM Application Server has the following vulnerability 

Vulnerability details:

The TLS server uses a Diffie-Hellman group with a prime modulus of less than 2048 bits in length. Current estimates are that that an academic team can break a 768-bit prime and that a state-level actor can break a 1024-bit prime.

Recommended solution:

Use a Stronger Diffie-Hellman Group

Please refer to this  guide to deploying Diffie-Hellman for TLS (https://weakdh.org/sysadmin.html)  for instructions on how to configure the server to use 2048-bit or stronger Diffie-Hellman groups with safe primes.

How to remediate this vulnerability.

 

 

Cause

This is due to Diffie-Hellman group encipher vulnerability 

Environment

Release : Identity Manger 14.3

Component : Wildfly 8.2 

                      Windows 2016

Resolution

This can be done through Application or JVM level

For application level, please refer solution from Redhat ( Subscription required)

https://access.redhat.com/solutions/1463083

From JVM level 

https://www.ibm.com/support/pages/how-disable-ssltls-diffie-hellman-keys-less-2048-bits

by update java.security 

Or adding -Djdk.tls.ephemeralDHKeySize=2048 as a JVM option argument and restart IDM