An Apache Web server may use the Diffie-Hellman (DH) public key cryptography protocol as the "Key Exchange Algorithm" and "Authentication Method". This protocol is not supported by the Vulnerability ProtectionDeep Security Agent/Appliance and must be disabled on an Apache Web server for SSL filtering to work.
The "Key Exchange Algorithm" and "Authentication Method" parameters are the first two fields of the "
SSLCipherSuite
" variable present in the
httpd-ssl.conf
file. To instruct Apache to not use Diffie-Hellman, "
!ADH
" must be added to these fields.
The following example shows the syntax required to disable DH key exchange and authentication methods in Apache:
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
!
" tells Apache to "Not" use ADH.
The config files may be located in different places depending on your Apache build. For example:
/etc/httpd/conf.d/ssl.conf/apache2/conf/extra/httpd-ssl.conf
For more information, visit the Apache Documentation of
SSLCipherSuite
at http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite.