Fixing RSA Keys Less Than 2048 bits


Fixing RSA Keys Less Than 2048 bits

Fixing RSA Keys Less Than 2048 bits

Posted on 2015-01-01 by Peter Bassill in category News.


Guides   Remediation  


Nessus Summary
Nessus ID: 69551


CVSS v3.0 Base Score: 1.4


Nessus Description
At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits.


Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.


Note that Nessus will not flag root certificates with RSA keys less than 2048 bits if they were issued prior to December 31, 2010, as the standard considers them exempt.


How to Fix
This vulnerability is cased by a RSA key of less than 2048 bits in length being present. Fixing this is simple.


If you are unable to fix it or dont have the time, we can do it for you. Find out more information here or buy a fix session now for £149.99 plus tax using the button below.


Purchase a fix now
Apache Fix
The follow configuration should be added to the security.conf file to apply globally or to virtual host:


SSLCipherSuite EECDH AESGCM:EDH AESGCM:AES256 EECDH:AES256 EDHSSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1SSLHonorCipherOrder OnSSLCompression off

IIS Fix
The Microsoft Knowledge Base article "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll" describes how to enable just the FIPS 140 algorithms. Here's a summary:


Disable weak ciphers

Open the registry editor and locate

HKLMSYSTEMCurrentControlSetControlSecurityProviders


Set

"Enabled" dword to "0x0"
for the following registry keys:


SCHANNELCiphersRC4 128/128SCHANNELCiphersRC2 128/128SCHANNELCiphersRC4 64/128SCHANNELCiphersRC4 56/128SCHANNELCiphersRC4 40/128SCHANNELCiphersRC2 40/128SCHANNELCiphersNULLSCHANNELHashesMD5Enable strong ciphers

Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders


Set

"Enabled" dword to "0xffffffff"
for the following registry keys


SCHANNELCiphersTriple DES 168/168SCHANNELHashesSHASCHANNELKeyExchangeAlgorithmsPKCS

If the Enabled word doesn't exist yet, please create the word and set the value to "0x0" or "0xffffffff" as required.



Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?