We’re seeing a possible issue with NVT 2016/gb_ssl_dh_weak_keysize_vuln.nasl (SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerabili… OID: 1.3.6.1.4.1.25623.1.0.106223).
It’s flagging an (in-house developed) server process for using a “Server Temp Key” of length 2040 (?):
Summary
The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).Vulnerability Detection Result
Server Temporary Key Size: 2040 bits
But as far as we can tell the actual minimum keylength is 2048:
[10:40:36] polaris:~ # echo "" | openssl s_client -connect 172.16.3.53:5107 -cipher "EDH" 2>/dev/null | grep "^Server Temp Key" Server Temp Key: DH, 2048 bits
Any ideas? This seems similar (if not identical) to a question on the old openvas-plugins mailing list from last July, but I saw no reply there:
http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-July/001404.html
Obviously we can just ignore this particular result, but it would be nice to understand.