Insufficient DH Group Strength Vulnerability
When we did a vulnerability assessment on our PFSense firewall we could see the below vulnerability being reported during the scan.
" SSL Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability"
Is there any recommended solution or workaround for closing this vulnerability on pfsense?
Any help is much appreciated.
Not with this amount of info, no. Blindly running scans without understanding what's being done and what's the output about is not exactly productive.
What did you scan? What service came back with that? Are you running say HAproxy or something?
It is occurring on the port 4443, a custom port number for web configurator (Web GUI). Also have appended the vulnerability results.
Medium (CVSS: 4.0)
NVT: SSL Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
The TLS service uses Diffie-Hellman groups with insufficient strength (key size ¡ 2048).
Vulnerability Detection Result
Server Temporary Key Size: 1024 bits
Also when i searched i could see some workaround in generic as "Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)".
But not sure whether the same can be applied for PFSense.
No idea if using outdated pfSense or the (still unknown) scanner produces complete BS. - https://github.com/pfsense/pfsense/blob/RELENG_2_3_2/src/etc/inc/system.inc#L1340
what version of pfsense are you running.. As dok pointed out this has been updated quite some time ago..
I just ran a scan against my pfsense 2.3.2_p1
We are using pfsense 2.2.4.
So your worried about security and running a version that came out in July of 2015 ;) Makes a lot of sense… doh!!!
KOM last edited by
Time to upgrade.