SSL Certificate Chain Contains Weak RSA Keys

medium Nessus Plugin ID 60108
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 1024 bits.

Description

At least one of the X.509 certificates sent by the remote host has a key that is shorter than 1024 bits. Such keys are considered weak due to advances in available computing power decreasing the time required to factor cryptographic keys.

Some SSL implementations, notably Microsoft's, may consider this SSL chain to be invalid due to the length of one or more of the RSA keys it contains.

Solution

Replace the certificate in the chain with the weak RSA key with a stronger key, and reissue any certificates it signed.

See Also

http://www.nessus.org/u?0095f43e

http://www.nessus.org/u?e1a5bacc

Plugin Details

Severity: Medium

ID: 60108

File Name: ssl_weak_rsa_keys.nasl

Version: 1.4

Type: remote

Family: General

Published: 7/24/2012

Updated: 11/15/2018

Dependencies: ssl_certificate_chain.nasl

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: AV:N/AC:H/Au:N/C:P/I:N/A:P

Vulnerability Information

Required KB Items: SSL/Chain/WeakRSA_Under_1024