Fixing RSA Keys Less Than 2048 bits

Fixing RSA Keys Less Than 2048 bits

Posted by Peter Bassill on 01/01/2015


Nessus Summary



Nessus ID: 69551



CVSS v3.0 Base Score: 1.4



Nessus Description



At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits.



Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.Note that Nessus will not flag root certificates with RSA keys less than 2048 bits if they were issued prior to December 31, 2010, as the standard considers them exempt.



How to Fix



This vulnerability is cased by a RSA key of less than 2048 bits in length being present. Fixing this is simple.



If you are unable to fix it or dont have the time, we can do it for you. Find out more information here or buy a fix session now for £149.99 plus tax using the button below.





Purchase a fix now





Apache Fix



The follow configuration should be added to the security.conf file to apply globally or to virtual host:



SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off



IIS Fix



The Microsoft Knowledge Base article "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll" describes how to enable just the FIPS 140 algorithms. Here's a summary:



Disable weak ciphers



Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders



Set "Enabled" dword to "0x0" for the following registry keys:



SCHANNELCiphersRC4 128/128
SCHANNELCiphersRC2 128/128
SCHANNELCiphersRC4 64/128
SCHANNELCiphersRC4 56/128
SCHANNELCiphersRC4 40/128
SCHANNELCiphersRC2 40/128
SCHANNELCiphersNULL
SCHANNELHashesMD5



Enable strong ciphers



Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders



Set "Enabled" dword to "0xffffffff" for the following registry keys



SCHANNELCiphersTriple DES 168/168
SCHANNELHashesSHA
SCHANNELKeyExchangeAlgorithmsPKCS



If the Enabled word doesn't exist yet, please create the word and set the value to "0x0" or "0xffffffff" as required.

Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com