AnsweredAssumed Answered

Feature Request: Display Key Exchange parameters in SSL Server Test

Question asked by binaryanomaly on Apr 20, 2014
Latest reply on Apr 22, 2014 by binaryanomaly

Hello

 

As Perfect Forward Secrecy is as popular as never (a positive sideffect of heartbleed) I think it would make a lot of sense to also display the Key Exchange parameters more explicitely as part of the SSL Server Test.

 

The secure Key Exchange is a core component of Perfect Forward Secrecy and it would imho be justified to give it a bit more attention.

 

If technically possible detection of standard DH params of Apache, nginx and others would be helpful as it should actually result in a downgrade of the security rating. I would bet that the standard configuration is surprisingly common and definitely a risk according to the openssl documentation:

 

"The risk in reusing DH parameters is that an attacker mayspecialize on a very often used DH group. Applications should thereforegenerate their own DH parameters during the installation process using theopenssl dhparam(1) application." (https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html)

 

rgds

reto

Outcomes