Symantec Access Management

Hello..

 We run a vulnerability scan on CA Directory server and we found that DSAs SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).
 As per documentation there is no configuration on set ssl command to change this behavior. Anybody knows if is possible to change the DH key size value for DSAs?


------------------------------
Best Regards!
Bruno Trindade
------------------------------

Hi Bruno.

I understand that you have received an update from Simon about this topic via support ticket and also another thread in Identity Management thread by Widjaja.

It is always a balance between convenience and security.
Higher key length would certainly make things more secure but also slow down the throughput.

https://docops.ca.com/ca-directory/12-6/en/reference/supported-standards-and-protocols/hashing-formats/encryption-formats-for-ssl


https://docops.ca.com/cad141/reference/supported-standards-and-protocols/hashing-formats/encryption-formats-for-ssl

Based on the above documentation, the key length supported is up to 2048 bit so you can replace the keys with 2048 bit length if desired.

------------------------------
Support Engineer 5
Broadcom
------------------------------

Original Message:
Sent: 09-23-2019 03:54 PM
From: Bruno Cesar Trindade
Subject: CA Directory | Diffie-Hellman key exhange insufficient DH group strength

Hello..

 We run a vulnerability scan on CA Directory server and we found that DSAs SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).
 As per documentation there is no configuration on set ssl command to change this behavior. Anybody knows if is possible to change the DH key size value for DSAs?


------------------------------
Best Regards!
Bruno Trindade
------------------------------

Hi Sung,

 Thanks for the heads up!

 We've mapped the use cases where we need those connections so we realized that the change impact is low once we know all the clients and these clients are on our domain. Although these changes somehow could be considered excessive this is also a feedback about the CA/Broadcom products possibilities regarding the customer security requirements.
 About the supported ciphers and their key size limit we are discussing how we can move on with the customer accepted ciphers that includes DHE, EDHE and RSA but also keep the minimum DH size as 2048.

------------------------------
Best Regards!
Bruno Trindade
------------------------------

Original Message:
Sent: 09-24-2019 02:23 AM
From: Sung Hoon Kim
Subject: CA Directory | Diffie-Hellman key exhange insufficient DH group strength

Hi Bruno.

I understand that you have received an update from Simon about this topic via support ticket and also another thread in Identity Management thread by Widjaja.

It is always a balance between convenience and security.
Higher key length would certainly make things more secure but also slow down the throughput.

https://docops.ca.com/ca-directory/12-6/en/reference/supported-standards-and-protocols/hashing-formats/encryption-formats-for-ssl

https://docops.ca.com/cad141/reference/supported-standards-and-protocols/hashing-formats/encryption-formats-for-ssl

Based on the above documentation, the key length supported is up to 2048 bit so you can replace the keys with 2048 bit length if desired.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 09-23-2019 03:54 PM
From: Bruno Cesar Trindade
Subject: CA Directory | Diffie-Hellman key exhange insufficient DH group strength

Hello..

 We run a vulnerability scan on CA Directory server and we found that DSAs SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).
 As per documentation there is no configuration on set ssl command to change this behavior. Anybody knows if is possible to change the DH key size value for DSAs?


------------------------------
Best Regards!
Bruno Trindade
------------------------------