SSLLabs message: This server supports weak Diffie-Hellman (DH) key

SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

To fix it, you can increase the DHE key size to 2048 adding the registry key below:

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644 

  1. Open Registry Editor.
  2. Access the following registry location:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

Update the following DWORD value to:

   "ServerMinKeyBitLength"=dword:00000800

Using this setting you will have a AEAD cipher that is not classified as “weak” and SSLLabs will give you an A Grade.

Leave a Reply