Diffie-Hellman is a type of SSL encryption cipher. A user session that is established with a web server by using this cipher cannot be captured by using the PCA.
By default, newer Firefox browser versions attempt to negotiate for the Diffie-Hellman cipher family. Tealeaf provides the following instructions to our customers on how to disable the Diffie-Hellman negotiation on their Web servers, if they choose to do so.
You can disable the Diffie-Hellman cipher suite on a web server. Your options depend on the type of web server.
- To disable Diffie-Hellman on IIS servers, you must modify the registry. Add or modify the following registry key on each web server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\ SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman\ Enabled = 0 (DWORD value)
- To disable Diffie-Hellman on Apache servers, edit keyword strings in the
ssl.conf
orhttpd.conf
files .- In the Apache
conf
directory, locate thessl.conf
orhttpd.conf
file. - Look for the
SSLCipherSuite
keyword string value:To disable Diffie-Hellman, please insert "!EDH:!DHE:!DH:!ECDH" after the "ALL:" in the cipher spec. This is an example and you will need to make sure you include it to all the variants of Diffie-Hellman to disable it on your web server. For additional info: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
- If you are not using one global configuration, make this change in every SSL configuration.
- Save the file.
- In the Apache
Restart the web server.
Locate servers that are using the Diffie-Hellman cipher
In a web application environment that operates many servers, locating the servers that use the Diffie-Hellman cipher can be time consuming. Using Wireshark, you can apply a display filter to refine the list of servers and identify the ones that are using the Diffie-Hellman cipher.
- Start Wireshark.
- Load or capture a
TCPdump
file of the traffic that is submitted to the PCA. - In the Filter textbox, copy the following string.
Note: The string should be a single line, without breaks. Remove the backslash characters at the end of each line (which are used here only for presentation, to indicate that the line continues).
ssl.handshake.ciphersuite == 0x10 || ssl.handshake.ciphersuite == 0x1a || \ ssl.handshake.ciphersuite == 0x1b || ssl.handshake.ciphersuite == 0x30 \ ||ssl.handshake.ciphersuite == 0x31 || ssl.handshake.ciphersuite == 0x32 || \ ssl.handshake.ciphersuite == 0x33 || ssl.handshake.ciphersuite == 0x34 \ ||ssl.handshake.ciphersuite == 0x36 || ssl.handshake.ciphersuite == 0x37 || \ ssl.handshake.ciphersuite == 0x38 || ssl.handshake.ciphersuite == \ 0x39||ssl.handshake.ciphersuite == 0x3a || ssl.handshake.ciphersuite == 0x63 \ || ssl.handshake.ciphersuite == 0x65 || ssl.handshake.ciphersuite == 0x66
- Then, paste the string to filter the Wireshark traffic.
- The filter traffic now shows only traffic from Diffie-Hellman ciphers.
- Use of the Diffie-Hellman cipher must be disabled on the listed server or servers.