Changes between Initial Version and Version 1 of Logjam

05/23/15 16:44:06 (3 years ago)
Steffan Karger



  • Logjam

    v1 v1  
     1= Security announcement: The Logjam attack and OpenVPN =
     3On 20 May 2015, attacks dubbed 'Logjam' on Diffie-Hellman and TLS were published:
     6The attacks only affects OpenVPN is very limited ways, because:
     71. OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params //can// be broken, that is still //very// expensive. Probably too expensive for your data if you don't share the group with others.
     82. OpenVPN does not support EXPORT DH parameters and thus the TLS rollback attack does not apply to OpenVPN.
     10Users are advised to use DH params of at least 2048 bits. Updating DH parameters is easy and only needs a change on the server. Generate new params using e.g.
     12  `$ openssl dhparam -out dh3072.pem 3072`
     14then update your server config to use these new parameters
     16  `dh dh3072.pem`
     18and restart the server.
     20For more information on the attack itself, please refer to the Logjam paper: