The Logjam Attack exploits a weakness affecting all versions of the TLS protocol which allows a monster-in-the-middle to downgrade to 512-bit export grade cryptography.

Our recommendations were always to use Diffie-Hellman parameters > 1024 bits. The general recommendation is to use 4096bits wherever possible but at least the same length as your RSA key size. That means at least 2048bit DH-Parameters or longer when using 2048bit RSA keys.

When using server daemons that allows you to specify DH-Parameters from a file, double check you’re actually doing so. Most default to only 1024bit. If your server daemon doesn’t allow specifying a file, check if an updated version is available. Keep in mind that some clients and servers don’t work well with DH-Parameters > 1024 bits.

As always update your software and never rely on neither sane let alone secure defaults.

Testing

If you want to quickly test if your server is affected you can do so using openssl(1) 1.0.2. OpenSSL 0.9.8/1.0.1 does not output DH-Parameter info.

Webserver

1

echo | openssl s_client -connect bettercrypto.org:443 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

Mailserver

Mail transport agent (MTA)

1

echo | openssl s_client -starttls smtp -connect smtp.example.com:25 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

Mail submission agent (MSA)

1

echo | openssl s_client -starttls smtp -connect submission.example.com:587 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

XMPP/Jabber

1

echo | openssl s_client -starttls xmpp -connect jabber.example.com:5222 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

This should output two lines:
Server public key is 4096 bit is your RSA Key size.
Server Temp Key: DH, 4096 bits is your DH-Parameter size. If this is 1024 bits or lower you need up upgrade your configuration.

Further reading

You can find more technical details about The Logjam Attack at https://weakdh.org/.

Emilia Kasper has posted an article on Logjam, FREAK and Upcoming Changes in OpenSSL to give you a headstart on the next OpenSSL updates to come.

The technical paper is Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. (PDF)

Hanno Böck has written a lengthy piece on Logjam in german. Logjam-Angriff: Schwäche im TLS-Verfahren gefährdet zehntausende Webseiten

Updates

2015-05-21 14:59 CET: Updated testing commands to also work on Linux. (Tested on Debian Wheezy.) Updated explanations that OpenSSL 1.0.2 is required to display DH Parameters.

Aaron Kaplan presented a bettercrypto project update at the Vienna Linuxwochen 2015.

During the 31st CCC congress, the german newspaper Der Spiegel released some documents on attempts to break and/or weaken TLS/SSL. This will be a good reason for us to review the BetterCrypto recommendations fully. Stay tuned.

Aaron Kaplan and David are holding a BetterCrypto talk Talk at Hack.lu 2014.

The POODLE attack pretty much killed SSLv3 which we did not recommend anyway anymore. Our bettercrypto guide generally does not recommend SSLv3 for Servers. You will find in our guide that we generally always excluded SSLv3:

1
2

SSLProtocol All -SSLv2 SSLv3
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3</b>:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

If you look at the settings above, you will find that the SSLProtocol disables SSLv3, however the Cipherstring, at first sight, seems to enable it again. This is however not the case! The abbreviation +SSLv3 in the SSLCipherSuite string simply enables certain cipher combinations that were specified in SSLv3 and TLS 1.0 alike. It does not enable SSLv3!

Aaron Kaplan presented the bettercrypto project at the RIPE meeting 68 in Warsaw on Tue, 13th of May. The slides are available for download as PDF.

Aaron presented the bettercrypto project at the Vienna Linuxwochen.
In addition, Berg held a BetterCrypto Workshop there as well! His workshop notes are available for download on Github.

To all people at the CCC:

We need your help!

Good open source cryptography is essential to security. Correctly implementing this is often a complex riddle. This project aims to provide an open source guide to applied crypto hardening.

So what can you do?

• Read our paper
• Review it
• Test it and implement it
• Give us your feedback on the mailing list
• Send us patches or pull requests

Thank you for your help and knowledge. Solid reviews by multiple eyes is the key.

Download the 30C3 LightningTalk Slides (PDF)