-
Notifications
You must be signed in to change notification settings - Fork 0
SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
The use of RSA keys less than 2048 bits in SSL certificate chains presents a significant security risk due to the insufficient encryption strength such keys offer. Modern cryptographic standards recommend using RSA keys of at least 2048 bits to ensure adequate security against brute-force attacks.
- Severity: High
Using RSA keys with less than 2048 bits can lead to several security issues:
- Compromised Communications: Easier for attackers to decrypt SSL/TLS communications, potentially leading to data breaches.
- Reduced Trust: Weakens the trustworthiness of the website's SSL certificate, impacting user confidence and compliance with security standards.
- Vulnerability to Cryptanalysis: Smaller key sizes are more susceptible to cryptanalysis and other forms of cryptographic attacks.
This vulnerability arises when SSL certificates in the chain are generated with RSA keys under 2048 bits, often due to:
- Legacy systems or software that have not been updated to support stronger encryption standards.
- Misconfiguration during the certificate generation process.
- Lack of enforcement of security policies regarding minimum key lengths.
To mitigate this vulnerability and strengthen the security of SSL/TLS communications, the following steps should be taken:
- Regenerate Certificates:
-
Contact your certificate authority (CA) to issue new certificates with RSA keys of at least 2048 bits.
-
If managing your own certificates, generate new keys using recommended cryptographic standards:
openssl genrsa -out mydomain.key 2048
-
- Configure Servers:
- Update server configurations to enforce the use of stronger keys. For example, in Apache and Nginx, ensure that the SSL certificate and key directives point to the new certificates.
- Test Certificate Chain:
-
Use tools like OpenSSL to verify the key sizes in your certificate chain:
openssl x509 -in certificate.crt -text -noout | grep "Public-Key"
-
N/A
N/A
- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities