ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to disable Diffie-Hellman key exchange in Messaging Gateway

book

Article ID: 240953

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Vulnerability scans show that the SMG MTA will accept Diffie-Hellman (DH) key exchange with a 1024 bit key when negotiating TLS.

While SMG is not vulnerable to the Logjam vulnerability there is some concern that some nation state level actors may be able to decrypt an SMTP session negotiated using 1024 bit DH key exchange by a brute force attack on the key exchange.

Resolution

Currently there is no means of removing just the 1024 bit DH key exchange leaving SMG to do 2048 but or greater DH key exchange.

For environments which cannot allow SMG to use 1024 bit DH key exhange, DH key exchange by the SMG MTA can be disabled via the following process:

  1. Log into the SMG scanner command line (CLI) as admin
  2. Run the following command to remove all DH ciphersuites from the available ciphersuite list
    mta-control all set-tls-ciphers 'ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP:-eNULL:-aNULL:!DH'
  3. Restart the MTA
    service mta restart

Note: This significantly reduces the number of available ciphersuites and may cause an inability to negotiate secure TLS connections with some older SMTP TLS implementations. Broadcom support can provide no recommendation in this situation other than to return SMG to its default TLS cipher configuration as follows:

mta-control all set-tls-ciphers default