Troubleshooting: Short Diffie-Hellman Prime is Very Commonly Used

A common Diffie-Hellman prime indicates poor server-side TLS configuration; servers with common primes are more susceptible to compromise.

Refer to the following instructions to troubleshoot TLS/SSL Configurations Short Diffie-Hellman prime is very commonly used findings:

• How to Locate the Prime Value
• How to Check if the Prime is Common

Locating the Prime Value

How to Locate the Prime Value

1. Pull the IP address or domain and port from the SSL Configuration finding details (under ‘Last Seen IP:Port’).
2. Locate the prime value by running the following openssl command:

   openssl s_client -cipher 'DHE' -tls1_2 -connect <IP_address>:<port> -msg
   openssl s_client -cipher 'DHE' -tls1_2 -connect <domain>:<port> -msg

3. Get the 1024 or 2048 bit keys from the <<< TLS 1.2, Handshake [length xxxx], ServerKeyExchange section:
   • 2048 Bits: Starts on the 7th pair on the first line and ends on the 6th pair on the 17th line.
     
   • 1024 Bits: Starts on the 7th pair on the first line and ends on the 6th pair on the 9th line.
     

The prime value can also be confirmed using a packet capture tool (like Wireshark) to monitor the Transport Layer Security request traffic when running the openssl command.

Checking if the Prime is Common

How to check if the prime is common

Once you have located the prime value, perform a Google search of the value. If the prime matches a result from these site searches, it is considered to be a common prime.

Sites listing common primes:

• Datatracker, “RFC 3526”
• Github, “Port Swigger Common Primes”
• SSL Labs by Qualys

  This third party tool has different grading methodologies from our scanners and can result in a different grading of common primes. See the FAQ below for details.

Frequently Asked Questions

SSL Labs/Qualys does not detect this as a common prime. Why does Bitsight see it as an issue?

SSL Labs by Qualys is a popular tool for reviewing the status of domains. However, this third party tool does not use the same grading methodologies as Bitsight scanners and can result in a different grading of common primes. This is evidenced by the Qualys SSL Labs GitHub where several users have come across this discrepancy and realized that they were using a common prime.