HTTPS connection with weak key length
Description
The server's HTTPS configuration uses an encryption key length that falls below the industry-recommended minimum of 128 bits. Weak key lengths significantly reduce the cryptographic strength of SSL/TLS connections, making encrypted communications vulnerable to brute-force attacks and cryptanalysis. This vulnerability typically affects older cipher suites or improperly configured web servers.
Remediation
Update the server's SSL/TLS configuration to enforce a minimum key length of 128 bits for symmetric encryption and 2048 bits for RSA keys. Follow these steps:
1. Identify and disable weak cipher suites in your web server configuration
2. Configure the server to only accept strong cipher suites with adequate key lengths
3. Ensure RSA certificates use at least 2048-bit keys (4096-bit recommended)
4. Test the configuration using SSL/TLS scanning tools
For Apache, add to your SSL configuration:
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder onFor Nginx:
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on;After making changes, restart the web server and verify the configuration using tools like SSL Labs' SSL Server Test.