Fork me on GitHub

BetterCrypto⋅org

Applied Crypto Hardening

TLS Logjam

The Logjam Attack exploits a weakness affecting all versions of the TLS protocol which allows a monster-in-the-middle to downgrade to 512-bit export grade cryptography.

Our recommendations were always to use Diffie-Hellman parameters > 1024 bits. The general recommendation is to use 4096bits wherever possible but at least the same length as your RSA key size. That means at least 2048bit DH-Parameters or longer when using 2048bit RSA keys.

When using server daemons that allows you to specify DH-Parameters from a file, double check you’re actually doing so. Most default to only 1024bit. If your server daemon doesn’t allow specifying a file, check if an updated version is available. Keep in mind that some clients and servers don’t work well with DH-Parameters > 1024 bits.

As always update your software and never rely on neither sane let alone secure defaults.

Testing

If you want to quickly test if your server is affected you can do so using openssl(1) 1.0.2. OpenSSL 0.9.8/1.0.1 does not output DH-Parameter info.

Webserver

1
echo | openssl s_client -connect bettercrypto.org:443 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

Mailserver

Mail transport agent (MTA)

1
echo | openssl s_client -starttls smtp -connect smtp.example.com:25 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

Mail submission agent (MSA)

1
echo | openssl s_client -starttls smtp -connect submission.example.com:587 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

XMPP/Jabber

1
echo | openssl s_client -starttls xmpp -connect jabber.example.com:5222 -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"

This should output two lines:
Server public key is 4096 bit is your RSA Key size.
Server Temp Key: DH, 4096 bits is your DH-Parameter size. If this is 1024 bits or lower you need up upgrade your configuration.

Further reading

You can find more technical details about The Logjam Attack at https://weakdh.org/.

Emilia Kasper has posted an article on Logjam, FREAK and Upcoming Changes in OpenSSL to give you a headstart on the next OpenSSL updates to come.

The technical paper is Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. (PDF)

Hanno Böck has written a lengthy piece on Logjam in german. Logjam-Angriff: Schwäche im TLS-Verfahren gefährdet zehntausende Webseiten

Updates

2015-05-21 14:59 CET: Updated testing commands to also work on Linux. (Tested on Debian Wheezy.) Updated explanations that OpenSSL 1.0.2 is required to display DH Parameters.