The Logjam Attack exploits a weakness affecting all versions of the TLS protocol which allows a monster-in-the-middle to downgrade to 512-bit export grade cryptography.
Our recommendations were always to use Diffie-Hellman parameters > 1024 bits. The general recommendation is to use 4096bits wherever possible but at least the same length as your RSA key size. That means at least 2048bit DH-Parameters or longer when using 2048bit RSA keys.
When using server daemons that allows you to specify DH-Parameters from a file, double check you’re actually doing so. Most default to only 1024bit. If your server daemon doesn’t allow specifying a file, check if an updated version is available. Keep in mind that some clients and servers don’t work well with DH-Parameters > 1024 bits.
As always update your software and never rely on neither sane let alone secure defaults.
Testing
If you want to quickly test if your server is affected you can do so using openssl(1)
1.0.2. OpenSSL 0.9.8/1.0.1 does not output DH-Parameter info.
Webserver
1
|
|
Mailserver
Mail transport agent (MTA)
1
|
|
Mail submission agent (MSA)
1
|
|
XMPP/Jabber
1
|
|
This should output two lines:
Server public key is 4096 bit
is your RSA Key size.
Server Temp Key: DH, 4096 bits
is your DH-Parameter size. If this is 1024 bits or lower you need up upgrade your configuration.
Further reading
You can find more technical details about The Logjam Attack at https://weakdh.org/.
Emilia Kasper has posted an article on Logjam, FREAK and Upcoming Changes in OpenSSL to give you a headstart on the next OpenSSL updates to come.
The technical paper is Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. (PDF)
Hanno Böck has written a lengthy piece on Logjam in german. Logjam-Angriff: Schwäche im TLS-Verfahren gefährdet zehntausende Webseiten
Updates
2015-05-21 14:59 CET: Updated testing commands to also work on Linux. (Tested on Debian Wheezy.) Updated explanations that OpenSSL 1.0.2 is required to display DH Parameters.