search cancel

How to disable Diffie-Hellman key exchange in Messaging Gateway

book

Article ID: 240953

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Vulnerability scans show that the SMG MTA will accept Diffie-Hellman (DH) key exchange with a 1024 bit key when negotiating TLS.

WARNING: SSH Weak Key Exchange Algorithms Enabled

While SMG is not vulnerable to the Logjam vulnerability there is some concern that some nation state level actors may be able to decrypt an SMTP session negotiated using 1024 bit DH key exchange by a brute force attack on the key exchange.

Resolution

Currently there is no means of removing just the 1024 bit DH key exchange leaving SMG to do 2048 but or greater DH key exchange.

For environments which cannot allow SMG to use 1024 bit DH key exhange, DH key exchange by the SMG MTA can be disabled via the following process:

  1. Log into the SMG scanner command line (CLI) as admin
  2. Run the following command to remove all DH ciphersuites from the available ciphersuite list
    mta-control all set-tls-ciphers 'ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP:-eNULL:-aNULL:!DH'
  3. Restart the MTA
    service mta restart

Note: This significantly reduces the number of available ciphersuites and may cause an inability to negotiate secure TLS connections with some older SMTP TLS implementations. Broadcom support can provide no recommendation in this situation other than to return SMG to its default TLS cipher configuration as follows:

mta-control all set-tls-ciphers default