I've googled around for that and for a layman like myself I didn't find anything that 'held my hand' through the process. If you know how to do this could you elaborate on how to disable Diffie-Hellman key exchanges?
Thanks, Mike Hoy On Sun, Jul 8, 2012 at 3:33 PM, <jb-open...@wisemo.com> wrote: > Use the 3rd option suggested by McAfee, it is better than their first > two options. > > The 3rd option is to "configure the ciphersuite used by the server to not > include any Diffie-Hellman key exchanges" until your choice of distribution > includes OpenSSL 1.0.1 with the new FIPS module. > On 08-07-2012 20:58, Mike Hoy wrote: > > We received the following from McAfee PCI Compliance service: > > Description > The remote SSL/TLS server accepts a weak Diffie-Hellman (DH) public > key value. > > This flaw may aid an attacker in conducting a man-in-the-middle (MiTM) > attack against the remote server since it could enable a forced > calculation of a fully predictable Diffie-Hellman secret. > > By itself, this flaw is not sufficient to set up a MiTM attack (hence > a risk factor of 'none'), as it would require some SSL implementation > flaws to affect one of the clients connecting to the remote host. > > General Solution > OpenSSL is affected when compiled in FIPS mode. To resolve this > issue, either upgrade to OpenSSL 1.0.0, disable FIPS mode or configure > the ciphersuite used by the server to not include any Diffie-Hellman > key exchanges. > > PolarSSL is affected. To resolve this issue, upgrade to version > 0.99-pre3 / 0.14.2 or higher. > > If using any other SSL implementation, configure the ciphersuite used > by the server to not include any Diffie-Hellman key exchanges or > contact your vendor for a patch. > > > > We want to know how to disable FIPS mode. We cannot upgrade OpenSSL > without compiling it and we would rather use yum to upgrade our software on > our servers. CentOS is only offering .9.x currently. My understanding is > that only people working for the government would be utilizing FIPS mode > while browsing the net. So is our solution correct: Disable FIPS mode? If > so how does one go about doing this on a GoDaddy dedicated CentOS system? > > Thanks, > -- > Mike Hoy > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > -- Mike Hoy
