= Security announcement: The Logjam attack and OpenVPN = On 20 May 2015, attacks dubbed 'Logjam' on Diffie-Hellman and TLS were published: https://weakdh.org/ The attacks only affect OpenVPN in very limited ways, because: 1. OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params //can// be broken, that is still //very// expensive. Probably too expensive for your data if you don't share the group with others. 2. OpenVPN does not support EXPORT DH parameters and thus the TLS rollback attack does not apply to OpenVPN. Users are advised to use DH params of at least 2048 bits. Updating DH parameters is easy and only needs a change on the server. Generate new params using e.g. `$ openssl dhparam -out dh3072.pem 3072` then update your server config to use these new parameters `dh dh3072.pem` and restart the server. For more information on the attack itself, please refer to the Logjam paper: https://weakdh.org/imperfect-forward-secrecy.pdf