You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sa...@wellsfargo.com.INVALID on 2022/07/18 14:45:15 UTC
QID 38863 - Cryptographically Weak Key Exchange Size
Hi All,
A new vulnerability has surfaced regarding TLS and Key Exchange agreement (more specifically the key size.)
"The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates
to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content."
We would like to know if Apache Tomcat was flagged by having a weak DH (Diffie Hellman) key exchange or ECDH
(Elliptic Curve) key exchange or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this vulnerability to match the minimum requirements
(RSA & DHE=2048; ECDHE= P-256) ?
Thanks,
Saicharan
RE: QID 38863 - Cryptographically Weak Key Exchange Size
Posted by Sa...@wellsfargo.com.INVALID.
Hi Chriss
Yeah kind of theoretical question. Recently a new Qualys QID vulnerability was released, QID: 38863 - Cryptographically Weak Key Exchange Size, which deals with weak cipher key exchange key values. So just checking if there is a way to specify a key size for the exchange?
Thanks,
Saicharan Burle
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, July 21, 2022 5:36 PM
To: users@tomcat.apache.org
Subject: Re: QID 38863 - Cryptographically Weak Key Exchange Size
Saicharan,
On 7/18/22 10:45, Saicharan.Burle@wellsfargo.com.INVALID wrote:
> Hi All,
>
> A new vulnerability has surfaced regarding TLS and Key Exchange
> agreement (more specifically the key size.)
>
> "The SSL/TLS server supports key exchanges that are cryptographically
> weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content."
>
> We would like to know if Apache Tomcat was flagged by having a weak
> DH (Diffie Hellman) key exchange or ECDH (Elliptic Curve) key exchange
> or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this vulnerability to match the minimum requirements (RSA & DHE=2048; ECDHE= P-256) ?
Tomcat only uses the cryptographic providers supplied by the environment in which it's running. You need to configure those environments appropriately.
Have you detected a vulnerability, or are you asking a theoretical question?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: QID 38863 - Cryptographically Weak Key Exchange Size
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Saicharan,
On 7/18/22 10:45, Saicharan.Burle@wellsfargo.com.INVALID wrote:
> Hi All,
>
> A new vulnerability has surfaced regarding TLS and Key Exchange agreement (more specifically the key size.)
>
> "The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates
> to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content."
>
> We would like to know if Apache Tomcat was flagged by having a weak DH (Diffie Hellman) key exchange or ECDH
> (Elliptic Curve) key exchange or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this vulnerability to match the minimum requirements
> (RSA & DHE=2048; ECDHE= P-256) ?
Tomcat only uses the cryptographic providers supplied by the environment
in which it's running. You need to configure those environments
appropriately.
Have you detected a vulnerability, or are you asking a theoretical question?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org