RE: QID 38863 - Cryptographically Weak Key Exchange Size
Hi Chriss Yeah kind of theoretical question. Recently a new Qualys QID vulnerability was released, QID: 38863 - Cryptographically Weak Key Exchange Size, which deals with weak cipher key exchange key values. So just checking if there is a way to specify a key size for the exchange? Thanks, Saicharan Burle -Original Message- From: Christopher Schultz Sent: Thursday, July 21, 2022 5:36 PM To: users@tomcat.apache.org Subject: Re: QID 38863 - Cryptographically Weak Key Exchange Size Saicharan, On 7/18/22 10:45, saicharan.bu...@wellsfargo.com.INVALID wrote: > Hi All, > > A new vulnerability has surfaced regarding TLS and Key Exchange > agreement (more specifically the key size.) > > "The SSL/TLS server supports key exchanges that are cryptographically > weaker than recommended. Key exchanges should provide at least 224 bits of > security, which translates to a minimum key size of 2048 bits for Diffie > Hellman and RSA key exchanges. An attacker with access to sufficient > computational power might be able to recover the session key and decrypt > session content." > > We would like to know if Apache Tomcat was flagged by having a weak > DH (Diffie Hellman) key exchange or ECDH (Elliptic Curve) key exchange > or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this > vulnerability to match the minimum requirements (RSA & DHE=2048; ECDHE= > P-256) ? Tomcat only uses the cryptographic providers supplied by the environment in which it's running. You need to configure those environments appropriately. Have you detected a vulnerability, or are you asking a theoretical question? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: QID 38863 - Cryptographically Weak Key Exchange Size
Saicharan, On 7/18/22 10:45, saicharan.bu...@wellsfargo.com.INVALID wrote: Hi All, A new vulnerability has surfaced regarding TLS and Key Exchange agreement (more specifically the key size.) "The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content." We would like to know if Apache Tomcat was flagged by having a weak DH (Diffie Hellman) key exchange or ECDH (Elliptic Curve) key exchange or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this vulnerability to match the minimum requirements (RSA & DHE=2048; ECDHE= P-256) ? Tomcat only uses the cryptographic providers supplied by the environment in which it's running. You need to configure those environments appropriately. Have you detected a vulnerability, or are you asking a theoretical question? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
QID 38863 - Cryptographically Weak Key Exchange Size
Hi All, A new vulnerability has surfaced regarding TLS and Key Exchange agreement (more specifically the key size.) "The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content." We would like to know if Apache Tomcat was flagged by having a weak DH (Diffie Hellman) key exchange or ECDH (Elliptic Curve) key exchange or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this vulnerability to match the minimum requirements (RSA & DHE=2048; ECDHE= P-256) ? Thanks, Saicharan