Disable Diffie-Hellman in Apache
Applies to on-premise Deep Security software installations only
Web servers are sometimes configured to use the Diffie-Hellman (DH) key exchange and authentication protocol as the "Key Exchange Algorithm" and "Authentication Method" during an SSL or TLS handshake. SSL inspection on the Deep Security Agent/Appliance won't work if it is enabled, however.
On Apache web servers, the "Key Exchange Algorithm" and "Authentication Method" parameters are the first two fields of the "
" variable present in the
file. To instruct Apache to not use Diffie-Hellman, add
!ADH to these fields.
For example, to disable Diffie-Hellman, you might edit the Apache configuration file's cipher suites to look like this:
" tells Apache to "not" use those ciphers.)
The file name and location of web server configuration files vary by operating system (OS) and distribution. For example, the path could be:
- Default installation on RHEL4:
- Apache 2.2.2 on Red Hat Linux:
For more information, see the Apache Documentation for