0

I have to ensure that the server when communicating on the Internet needs to have DH prime value of 2048 bits or greater.

I can find out the cipher suites that are used but cannot derive the DH prime value from that. If there is an online portal or a hack which lets you understand the strength of the DH prime value being exchanged then please let me know.

Anup Michael Salve
  • 1
  • 1
  • 2
  • Using a DH prime value would only make sense in the context of running a service protected by a Diffie–Hellman based cipher-suite. A shared DH prime is one of the parameters used in a DH based cryptography implementation. What service are you trying to protect or what are you trying to achieve in general? It may be worth seeking professional security consultancy assistance is this is for a production / public facing service. – Stu W Mar 28 '19 at 11:16
  • We have a finding from Bitsight report that a server has DH prime value less than 2048 bit. We need to configure the server for DH prime 2048 bit or more. Now I need to check from Internet if the DH prime for these servers is actually 2048 bit or not after the changes in the configuration. (Can't say anymore) – Anup Michael Salve Mar 28 '19 at 12:06

2 Answers2

1

I assume you are trying to check the length of the DH parameter for a TLS-secured service.

If you have access to the server, you can check its configuration. It is usually configured together with the other TLS parameters of your (web?)server.

If you don't have access, you could use sslscan <host>:<port>.

Example:

> sslscan 192.168.X.X:443
Version: 1.11.12-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Connected to 192.168.X.X

[...]

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-384 DHE 384
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 1024 bits
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-384 DHE 384

If you are not looking for the length, but the actual content of the parameter, you will need access to the server.

Community
  • 1
Euphrasius von der Hummelwiese
  • 1,018
  • 5
  • 20
  • Where can I get this tool? I'm running a windows currently. And how safe is it? Edit: I don't have access to this server. I just need to check if configuration works correctly and that DH prime is 2048 bits or more. – Anup Michael Salve Mar 28 '19 at 12:07
  • sslscan - https://github.com/rbsec/sslscan or alternatively testssl.sh(my favourite) - https://testssl.sh/ – Stu W Mar 28 '19 at 13:11
  • Thank you man! You made my life so much simpler! – Anup Michael Salve Mar 29 '19 at 05:04
1

If the server is available on the intenet, you can just use Qualys ssllabs scanner to verify that DHE (not ECDHE) cipher suites use 2048 bit group.

You can also use wireshark to capture the recording of a handshake between a client and your server. Make sure the client is configured to use DHE, not ECDHE, and look at the size of "p" in the ServerKeyExchange message sent by the server. It should be 256 bytes (2048 bits) long.

You can use the script from this answer to capture and extract the DH group value (p and g) and format it as "dhparam" value suitable for configuring TLS servers like nginx and postfix smptd and use openssl dhparam -check to verify the value is "safe".

Z.T.
  • 7,963
  • 1
  • 22
  • 36