Problem

* Security scans have detected a weak DH modulus (or "Logjam") issue on the Apache server used by Validation Authority.

Resolution

-- Because we disable all export ciphers by default, this is not considered a vulnerability. A client's connection cannot be downgraded to use an export cipher because, by default, we do not permit those ciphers to be used.

Validation Authority 4.12.1 SP5 and later use Apache 2.4, which allows you to specify a file with a custom modulus by adding the following line to /Axway/VA/Apache/conf/httpd.conf

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

You can generate the dhparams.pem file by running the OpenSSL that ships in /Axway/VA/tools and giving it this command:

openssl dhparam -out dhparams.pem 2048

You need to restart the Apache service after creating the file and updating httpd.conf for this setting to take effect. You can test that it's working by using the same OpenSSL as before to run the command below. Replace localhost:13333 in the command below with the host:port of your Apache UI if necessary:

openssl s_client -connect localhost:13333 -cipher "EDH"

Then check the output for a line saying:

Server Temp Key: DH, 2048 bits

Note that if make OpenSSL generate a different size of DH parameter than shown, the key size displayed above might be different. Make sure to use OpenSSL 1.0.2 or later to test this, like the OpenSSL that ships with VA 4.12.1 SP5 and later, because earlier versions of OpenSSL did not display the key size.