Question & Answer
Question
How do you disable Diffie-Hellman cipher suite on IIS and Apache Web servers?
Answer
Contents
Question
Question
How do you disable Diffie-Hellman cipher suite on IIS and Apache Web servers?
Answer
Diffie-Hellman is a type of SSL encryption cipher designed so that 3rd parties (i.e. anyone other than the two parties at the two endpoints of a conversation) cannot decrypt the communications traffic.? A user session that has been established with a Web server using this kind of cipher cannot be captured using a Tealeaf Passive Capture Machine (PCM).
Newer versions of the Firefox browser attempt to negotiate for the Diffie-Hellman cipher family as a default.? Because of the increased popularity of Firefox Tealeaf would like to pass along to our customers instructions on dealing with these ciphers (including how to disable the Diffie-Hellman negotiation on their Web servers if needed).
If the Web server infrastructure includes an SSL termination (a.k.a. acceleration) device upstream (closer to the end user Web browser) than the point at which the PCM is monitoring the traffic the PCM sees all the traffic in the clear (non-SSL).? In this situation the following solution does not apply.? The SSL terminating device is free to negotiate Diffie-Hellman with the end user browser as the PCM is downstream of the encrypted traffic and does not have to do any decryption.
To disable the Diffie-Hellman cipher suite from your Web server follow one of the options below. If the Web server is not listed please see your Web server?s documentation for instructions to disable this cipher suite for your particular Web server.
IIS:
1.? Add (or modify) the following Registry key on each Web server:
Newer versions of the Firefox browser attempt to negotiate for the Diffie-Hellman cipher family as a default.? Because of the increased popularity of Firefox Tealeaf would like to pass along to our customers instructions on dealing with these ciphers (including how to disable the Diffie-Hellman negotiation on their Web servers if needed).
If the Web server infrastructure includes an SSL termination (a.k.a. acceleration) device upstream (closer to the end user Web browser) than the point at which the PCM is monitoring the traffic the PCM sees all the traffic in the clear (non-SSL).? In this situation the following solution does not apply.? The SSL terminating device is free to negotiate Diffie-Hellman with the end user browser as the PCM is downstream of the encrypted traffic and does not have to do any decryption.
To disable the Diffie-Hellman cipher suite from your Web server follow one of the options below. If the Web server is not listed please see your Web server?s documentation for instructions to disable this cipher suite for your particular Web server.
IIS:
1.? Add (or modify) the following Registry key on each Web server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman\Enabled = 0 (DWORD value)
2.? Restart the Web server for the changes to take effect.
Apache:
1.? On each Web server in the ssl.conf file (or in some cases part of the main Apache conf file) add:? ?!ADH:!DH:? (without the quotes) to the start of the SSLCipherSuite config option string.? Do this for every SSL config section (if not using one global section).
2.? Restart the Web server for the changes to take effect.
Article Reference
00000248
Applies to version(s):? 7.x;8.x
"
[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSERNK","label":"Tealeaf Customer Experience"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}}]
Was this topic helpful?
Document Information
Modified date:
08 December 2018
UID
ibm10777257