Re: commonly used Diffie-Hellman primes risk

chengl031 · ‎09-10-2021

Hi,

We have a FPR1010 device with FTD image and manage by FDM.

A risk was found in VPN service (outside interface and port 443) that it's using a commonly used Diffie-Hellman primes for SSL key exchange. How can I change that DH primes?

The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session.

Thanks!

Rob Ingram · ‎09-10-2021

@chengl031

您需要升级到 FDM 7.0 版，该版本现在支持更改远程访问 VPN 的 SSL 密码设置。

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

Which should translate to - "You will need to upgrade to FDM 7.0, which now supports changing SSL cipher settings for remote access VPN."

chengl031 · ‎09-10-2021

是的，我们使用的是7.0.0.1-15，ssl密码设置好像只是更改cipher和协议，dh素数不知道怎么搞

Rob Ingram · ‎09-10-2021

这会更改 DH（Diffie Hellman）设置

This changes the DH (Diffie Hellman) settings

chengl031 · ‎09-10-2021

Yes, but this can not fix the risk of commonly DH primes. We already set to 15 and 21.

vikasgupta2k · ‎11-15-2022

Hello,

Were you able to resolve this issue. We are using FMC to manage FTD and getting the same issue while doing network security scan from outside.

Thanks

chengl031 · ‎11-15-2022

Just disable insecure ssl cipher. We only use:ECDHE_RSA_AES256_GCM_SHA384

ECDHE will not use the dh primes, so we can avoid the risk