1. Home
  2. Network Vulnerabilities
  3. How to remediate – SSL Perfect Forward Secrecy Cipher Suites Supported
Searching...

How to remediate – SSL Perfect Forward Secrecy Cipher Suites Supported

Contents

1. Introduction

The SSL Perfect Forward Secrecy Cipher Suites Supported vulnerability means a service uses encryption methods that protect past communications even if its private key is stolen. This protects confidentiality of data in transit, and affects servers using TLS/SSL. A compromise of the server’s private key could allow an attacker to decrypt previously recorded traffic.

2. Technical Explanation

The remote host supports SSL ciphers offering Perfect Forward Secrecy (PFS). PFS generates unique encryption keys for each session, meaning a compromised private key cannot decrypt past sessions. An attacker gaining access to the server’s private key would still need to break each individual session key to decrypt traffic. This vulnerability is not directly exploitable but indicates strong cryptographic configuration.

  • Root cause: The server’s TLS/SSL configuration includes cipher suites that support Perfect Forward Secrecy.
  • Exploit mechanism: An attacker compromises the server’s private key, but cannot decrypt past SSL sessions due to PFS.
  • Scope: Servers using OpenSSL or other TLS/SSL implementations supporting PFS cipher suites are affected.

3. Detection and Assessment

Confirming a system supports PFS involves checking its configured cipher suites. A quick check can show the overall SSL configuration, while thorough methods examine specific ciphers.

  • Quick checks: Use openssl s_client -connect {target}:{port} and look for cipher suites in the output that include “ECDHE” or “DHE”.
  • Scanning: Nessus plugin ID 69847 can identify supported PFS ciphers. Qualys SSL Labs also reports PFS support.
  • Logs and evidence: TLS handshakes logs may show negotiated cipher suites.
openssl s_client -connect example.com:443

4. Solution / Remediation Steps

This is not a vulnerability requiring remediation, but confirmation of good configuration. The steps below verify PFS is enabled and maintained.

4.1 Preparation

  • Ensure you have access to the server’s TLS/SSL configuration files. A roll back plan involves restoring the original configuration if issues occur.
  • Changes should be made during a scheduled maintenance window with appropriate approvals.

4.2 Implementation

  1. Step 1: Review the server’s TLS/SSL configuration file (e.g., Apache’s httpd.conf, Nginx’s nginx.conf).
  2. Step 2: Ensure that cipher suites including “ECDHE” or “DHE” are enabled and prioritized.
  3. Step 3: Restart the web server to apply changes.

4.3 Config or Code Example

Before

SSLCipherSuite ALL -aNULL

After

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256

4.4 Security Practices Relevant to This Vulnerability

Practices that support this vulnerability include maintaining a strong cryptographic configuration and regular updates.

  • Practice 1: Least privilege reduces the impact if a key is compromised.
  • Practice 2: Patch cadence ensures you have the latest security fixes for TLS/SSL libraries.

4.5 Automation (Optional)

# Example Ansible task to check cipher suites
- name: Check SSL Cipher Suites
  command: openssl s_client -connect {{ target }}:{{ port }} | grep "Cipher Suite"
  register: ssl_cipher_suites
  changed_when: false
- debug:
    msg: "SSL Cipher Suites: {{ ssl_cipher_suites.stdout }}"

5. Verification / Validation

Confirm the fix by rechecking the configured cipher suites and performing a service smoke test.

  • Post-fix check: Run openssl s_client -connect {target}:{port} and verify that “ECDHE” or “DHE” ciphers are listed in the output.
  • Re-test: Re-run the initial detection method to confirm PFS is still enabled.
  • Smoke test: Verify website access via HTTPS works as expected.
  • Monitoring: Monitor TLS handshake logs for unexpected cipher suite changes.
openssl s_client -connect example.com:443 | grep "Cipher Suite"

6. Preventive Measures and Monitoring

Preventive measures include regular security baselines updates and automated checks in deployment pipelines.

  • Baselines: Update your security baseline to require PFS cipher suites.
  • Pipelines: Add SAST or SCA tools to check for weak TLS/SSL configurations during development.
  • Asset and patch process: Review TLS/SSL configuration changes as part of a regular asset review cycle.

7. Risks, Side Effects, and Roll Back

Changing TLS/SSL settings can cause compatibility issues with older clients. A roll back involves restoring the original configuration file.

  • Risk or side effect 1: Older clients may not support PFS cipher suites, causing connection errors.
  • Risk or side effect 2: Incorrect configuration could disrupt TLS/SSL connections.
  • Roll back: Restore the previous TLS/SSL configuration file and restart the web server.

8. References and Resources

  • Vendor advisory or bulletin: https://www.openssl.org/docs/manmaster/man1/ciphers.html
  • NVD or CVE entry: Not applicable, as this is a positive security configuration.
  • Product or platform documentation relevant to the fix: Documentation for your specific web server (e.g., Apache, Nginx).
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles