Disable Diffie-Hellman in Apache

Applies to on-premise Deep Security software installations only

Web servers are sometimes configured to use the Diffie-Hellman (DH) key exchange and authentication protocol as the "Key Exchange Algorithm" and "Authentication Method" during an SSL / TLS handshake. SSL inspection on the Deep Security Agent/Appliance won't work if it is enabled, however.

On Apache web servers, the "Key Exchange Algorithm" and "Authentication Method" parameters are the first two fields of the " SSLCipherSuite " variable present in the httpd-ssl.conf file. To instruct Apache to not use Diffie-Hellman, add !ADH to these fields.

For example, to disable Diffie-Hellman, you might edit the Apache configuration file's cipher suites to look like this:

SSLCipherSuite !DH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

(The " ! " tells Apache to "not" use those ciphers.)

The file name and location of web server configuration files vary by operating system (OS) and distribution. For example, the path could be:

  • Default installation on RHEL4: /etc/httpd/conf.d/ssl.conf
  • Apache 2.2.2 on Red Hat Linux: /apache2/conf/extra/httpd-ssl.conf

References

For more information, see the Apache Documentation for SSLCipherSuite :

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite