how to disable Diffie-Hellman

[limpopo]

I get the task- disable DIFFIE-HELLMAN EPHEMERAL KEY EXCHANGE DOS VULNERABILITY (SSL/TLS, D(HE)ATER
I open settings scripts2/globalapachesetup, navigate to section SSL Cipher Suite
here is values ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
then I remove keys DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
then I click save and rebuild and restart apache
then I run command $ openssl s_client -connect ip:443 -cipher "EDH" and it connects
where is my mistake?

 

[cPRex]

Hey there! Can you let us know the specific error you're receiving from the scanning tool? That might be helpful in narrowing this down a bit.

 

[limpopo]

what mean about scanning tool? my security department gave me the task-disable DIFFIE-HELLMAN EPHEMERAL. they gave such description-The remote SSL/TLS server is supporting Diffie-Hellman ephemeral (DHE) Key Exchange algorithms and thus could be prone to a denial of service (DoS) vulnerability.
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger
expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack
may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it
can only communicate with DHE, and the server must be configured to allow DHE.

 

[cPRex]

Can you get some more specific details from your security department about what issues they are seeing? Every cipher with "DHE" is part of Diffie Hellman, so if you remove all those you won't have any options left.

It would be good to know the specific error they are reporting so we can recommend an action to take.

 

[limpopo]

they say just remove Diffie Hellman

REMEDIATION
•DHE key exchange should be disabled if no other mitigation mechanism can be used and either elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange is supported by the clients. The fact that RSA key exchange is not forward secret should be considered.
• Limit the maximum number of concurrent connections in e.g. the configuration of the remote server. For Postfix this limit can be configured via 'smtpd_client_new_tls_session_rate_limit' option, for other products please refer to the manual of the product in question on configuration possibilities.

 

[cPRex]

Thanks for the additional details. This sounds like they are talking about the mailserver, and not Apache.

This would be adjusted in WHM >> Mailserver Configuration, and you'd just want to remove any ciphers that contain the "EDHC" text. It would be a good idea to back up your original cipher list just in case.