Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#12217 closed defect (fixed)

Fix website weak key exchange

Reported by: UserUnknown Owned by:
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Keywords:
Cc: tom@…, Sebastian Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The website uses a 2048 bit certificate, but when PFS ciphers are used(DHE), the key-exchange is limited to 1024 bits, because the DH parameters are configured to 1024 bits.

(If it's possible, please enable OCSP stapling was well.)

Child Tickets

Change History (5)

comment:1 Changed 6 years ago by tom

Cc: tom@… added

comment:2 Changed 6 years ago by Sebastian

Cc: Sebastian added
Component: WebsiteTor Sysadmin Team

This is for the sysadmins to decide

comment:3 Changed 6 years ago by weasel

Resolution: fixed
Status: newclosed

I don't think this is an issue anymore. If it still is, please re-open and provide more information.

comment:4 Changed 6 years ago by tom

I can confirm it is still an issue (ssllabs indicates 1024 bit groups still in use, it's in the ciphersuite table), but based off it appears upgrading the group would require patching and compiling 2.2 or upgrading to 2.4.

comment:5 Changed 6 years ago by weasel

Then this too will have to wait for jessie.

Note: See TracTickets for help on using tickets.