ECDH public server param reuse in Kestrel

Question

Hello,

I have an application that is hosted using Kestrel.

When running the SSL Server Test from SSLLabs.com, it states that the server is reusing ECDH public server parameters. I am getting the same warning when using another fussy scanning tool.

My question is, does Kestrel reuse Diffie-Hellman public keys, or does it cache it for some time like IIS does?

I can't find much information online about Kestrel reusing keys even though the cipher suite used is supposed to be ephemeral Diffie Hellman. I did find this page which states Kestrel tries to reuse the connection for http/1.1 but it is not clear to me if that means that Kestrel reuses keys or not: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/request-draining?view=aspnetcore-5.0

My app is hosted on Windows Server 2019 and uses .NET 5.

I can't find any tags related to Kestrel, so hopefully tagging this with IIS is OK.

Thank you

Answer 1

I've struggled with this for a while, apparently Microsoft tends to cache the DH key and periodically regenerate it. This means it does not regenerate the key for every connection, improving performance (in their opinion).

To disable this open the Registry Editor, there you can set the reuse time to 0 which forces a new key to be generated for every connection. Follow these steps:

1. Navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms\ECDH
2. In ECDH click New --> DWORD (32-bit) value
   1. Value name: EphemKeyReuseTime
   2. Value data: 0