Discussion:
Fwd: 2016/gb_ssl_dh_weak_keysize_vuln.nasl reports 2040 instead of 2048 bits key length
(too old to reply)
Christian Fischer
2018-07-24 09:41:10 UTC
Permalink
Hi,

as you can see in the header of the file i'm not the author of that NVT
so unfortunately i'm not familiar with that script and the code as well.

I'm forwarding this to the openvas-plugins mailinglist for now where NVT
issues/questions are discussed. Maybe another NVT developer can have a
look at this if time permits.

Regards,
Christian

-------- Forwarded Message --------
Subject: 2016/gb_ssl_dh_weak_keysize_vuln.nasl reports 2040 instead of
2048 bits key length
Date: Tue, 24 Jul 2018 08:54:18 +0000
From: Stefan Bauer <***@elster.de>
To: ***@greenbone.net <***@greenbone.net>

Hi Christian,



openvas reports key length with 2040 instead of 2048 bits during a
postfix scan (submission/587)



Medium (CVSS: 4.0)

NVT: SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength
Vulnerabili... (OID: 1.3.6.1.4.1.25623.1.0.106223)
Summary

The SSL/TLS service uses Diffie-Hellman groups with insufficient
strength (key size < 2048).

Vulnerability Detection Result

Server Temporary Key Size: 2040 bits




openssl shows correct key size from remote:



***@bst01ntb:~$ echo "" |openssl s_client -connect postfix:443
-cipher "EDH" | grep "Server Temp Key"
Temp Key: DH, 2048 bits



postfix is setup master.cf with:



    -o
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA
:AES256-SHA:CAMELLIA128-SHA:AES128-SHA



Is this a false positive?  I was digging into your script but lack
deeper coding knowledge to verify it.


VG
--
Mit freundlichen Grüßen

Stefan Bauer

Externer Mitarbeiter beauftragt durch
Bayerisches Landesamt für Steuern
Abteilung IuK 16 / ELSTER
Augustenstraße 10
80333 München

Tel. +49 (89) 9991 3636
***@mgm-tp.com <mailto:***@mgm-tp.com>

mgm technology partners GmbH
Frankfurter Ring 105a
80807 München

Tel. (mgm) +49 (89) 35 86 80-0
E-Mail: ***@mgm-tp.com <mailto:***@mgm-tp.com>
www.mgm-tp.com <http://www.mgm-tp.com>
Besuchen Sie uns auf LinkedIn, Xing und Facebook!
LinkedIn: https://www.linkedin.com/company/mgm-technology-partners-gmbh
Xing: https://www.xing.com/companies/mgmtechnologypartnersgmbh
Facebook: https://www.facebook.com/mgmTechnologyPartners

Innovation Implemented.

Geschäftsführer / CEO: Hamarz Mehmanesh
Sitz der Gesellschaft / Registered office: München
Handelsregister/ Commercial register: AG München HRB 161298
USt-IdNr. / VAT ID: DE815309575
Loading...