Hi Chriss Yeah kind of theoretical question. Recently a new Qualys QID vulnerability was released, QID: 38863 - Cryptographically Weak Key Exchange Size, which deals with weak cipher key exchange key values. So just checking if there is a way to specify a key size for the exchange?
Thanks, Saicharan Burle -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Thursday, July 21, 2022 5:36 PM To: users@tomcat.apache.org Subject: Re: QID 38863 - Cryptographically Weak Key Exchange Size Saicharan, On 7/18/22 10:45, saicharan.bu...@wellsfargo.com.INVALID wrote: > Hi All, > > A new vulnerability has surfaced regarding TLS and Key Exchange > agreement (more specifically the key size.) > > "The SSL/TLS server supports key exchanges that are cryptographically > weaker than recommended. Key exchanges should provide at least 224 bits of > security, which translates to a minimum key size of 2048 bits for Diffie > Hellman and RSA key exchanges. An attacker with access to sufficient > computational power might be able to recover the session key and decrypt > session content." > > We would like to know if Apache Tomcat was flagged by having a weak > DH (Diffie Hellman) key exchange or ECDH (Elliptic Curve) key exchange > or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this > vulnerability to match the minimum requirements (RSA & DHE=2048; ECDHE= > P-256) ? Tomcat only uses the cryptographic providers supplied by the environment in which it's running. You need to configure those environments appropriately. Have you detected a vulnerability, or are you asking a theoretical question? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
