Security Vulnerability: DHEater aka CVE-2002-20001
This document (000020510) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
All applications on SUSE Linux Enterprise are affected that have DHE enabled. The Diffie-Hellman Epheremal key exchange is usually configured by default to provide perfect forward secrecy.
Note that Elliptic Curve Diffie-Hellman is not affected by this problem.
SUSE is currently reviewing the best way forward on this issue.
While we use DEFAULT_SUSE as a default cipher set, removing DHE unconditionally could break existing setups.
A workaround is to temporary disable DHE key exchange and only use ECDHE (Elliptic Curve Diffie-Hellman), in SSL / TLS / HTTPS using network services. You need to check if this does not cause interoperability issues.
In the SSL vhost config, add the !kDHE modifier to the use SSLCipherSuite in eg. /etc/apache2/ssl-global.conf or local overriding vhost configs,
Disable the Diffie-Hellman key exchange methods by adding to or using KexAlgorithms in /etc/ssh.d/sshd_config
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020510
- Creation Date: 18-Nov-2021
- Modified Date:18-Nov-2021
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: email@example.com