Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Disable Diffie-Hellman in Apache
Web servers are sometimes configured to use the Diffie-Hellman (DH) key exchange and authentication protocol as the "Key Exchange Algorithm" and "Authentication Method" during an SSL or TLS handshake. SSL inspection on the Deep Security Agent/Appliance won't work if it is enabled, however.
On Apache web servers, the "Key Exchange Algorithm" and "Authentication Method" parameters are the first two fields of the "
SSLCipherSuite
" variable present in the
httpd-ssl.conf
file. To instruct Apache to not use Diffie-Hellman, add
!ADH to these fields.
For example, to disable Diffie-Hellman, you might edit the Apache configuration file's cipher suites to look like this:
SSLCipherSuite !DH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
(The "
!
" tells Apache to "not" use those ciphers.)
The file name and location of web server configuration files vary by operating system (OS) and distribution. For example, the path could be:
- Default installation on RHEL4:
/etc/httpd/conf.d/ssl.conf - Apache 2.2.2 on Red Hat Linux:
/apache2/conf/extra/httpd-ssl.conf
References
For more information, see the Apache Documentation for
SSLCipherSuite
:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite
