Solved: Disable SSL/TLS Diffie-Hellman Modulus <= 1024 Bit... - Fortinet Community

We were doing some penentration tests on our systems and we found out that on our FortiGate 200D which has SSL VPN enabled it is susceptible to the LongJam attack. In the SSL VPN Settings, the below values have been set :

set algorithm high set sslv2 disable set sslv3 disable

In the Global COnfig, the below settings have been set :

set strong-crypto enable

even, when we perform the test again, the under output is presented to us :

vulnerable connection combinations : SSL/TLS interpretation : TLSv1.1 Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know electrostatic Oakley Group2 modulus. This may make the distant host more vulnerable to the Logjam approach. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS adaptation : TLSv1.1 Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know static Oakley Group2 modulus. This may make the outside host more vulnerable to the Logjam fire. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS version : TLSv1.1 Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know static Oakley Group2 modulus. This may make the outside host more vulnerable to the Logjam approach. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS adaptation : TLSv1.1 Cipher cortege : TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know inactive Oakley Group2 modulus. This may make the distant host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS interpretation : TLSv1.1 Cipher suite : TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know static Oakley Group2 modulus. This may make the outside host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS interpretation : TLSv1.0 Cipher cortege : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a acknowledge inactive Oakley Group2 modulus. This may make the outside server more vulnerable to the Logjam attack. Logjam fire difficulty : Hard ( would require nation-state resources ) SSL/TLS version : TLSv1.0 Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know static Oakley Group2 modulus. This may make the distant host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS translation : TLSv1.0 Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know static Oakley Group2 modulus. This may make the remote control horde more vulnerable to the Logjam attack. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS version : TLSv1.0 Cipher suite : TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know static Oakley Group2 modulus. This may make the remote control master of ceremonies more vulnerable to the Logjam attack. Logjam attack difficulty : Hard ( would require nation-state resources ) SSL/TLS adaptation : TLSv1.0 Cipher suite : TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA Diffie-Hellman MODP size ( bits ) : 1024 Warning – This is a know static Oakley Group2 modulus. This may make the distant host more vulnerable to the Logjam attack. Logjam fire difficulty : Hard ( would require nation-state resources )

Does anyone know how to disable the cipher in motion or upgrade it to a 2048 bits ?

Thank you in progress, Thanasis

generator : https://coinselected.com
Category : crypto topics

Leave a Reply

Your email address will not be published.