Skip to main content
All CollectionsRemediations
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) Vulnerability
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) Vulnerability
Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

The SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) vulnerability when detected with a vulnerability scanner will report it as a CVSS 9.8 (v3).

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:

  • Logjam attack against the TLS protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

  • Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.

SSL parameters can globally be set in httpd.conf or within specific virtual hosts.

DH Parameters

In newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify your DH params file as follows:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated earlier to the end of your certificate file.

Reload configuration

sudo service apache2 reload

To be placed in the website configuration server block in /etc/nginx/sites-enabled/default :

DH parameters

ssl_dhparam {path to dhparams.pem};

Reload configuration

sudo nginx -s reload

  1. Open the Group Policy Object Editor (i.e. run gpedit.msc in the command prompt).

  2. Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.

  3. Under SSL Configuration Settings, open the SSL Cipher Suite Order setting.

  4. Set up a strong cipher suite order. See this list of Microsoft's supported ciphers and Mozilla's TLS configuration instructions.

Microsoft has also made official instructions available.

Changes should be made in /etc/lighttpd/lighttpd.conf

DH parameters

ssl.dh-file="{path to dhparams.pem}"

Reload configuration

sudo service lighttpd restart

In the server.xml file (for JSSE)


Cipher Suites

<Connector
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"
/>

Note: To be able to use the 256 bit AES Ciphers, it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files, which can be found here.

Both parameters should be set in /etc/postfix/main.cf.

DH params

smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem

Reload configuration

sudo postfix reload

These changes can be made in the LOCAL_CONFIG section of your /etc/mail/sendmail.mc

DH Parameters

O DHParameters={path to dhparams.pem}

Reload configuration

sudo service sendmail restart

These changes should be made in /etc/dovecot.conf

DH parameters

#regenerates every week
ssl_dh_parameters_length = 2048

Reload configuration

sudo doveadm reload

These changes should be made in the global section of your configuration.

DH Parameters

Append the DH parameter file generated using OpenSSL to your certificate (crt file).

Note: while there is configuration option named tune.ssl.default-dh-param to set the maximum size of primes used for DHE, placing custom parameters in your certificate file overrides it.

Reload configuration

sudo haproxy -f haproxy.cfg -p $(</var/run/haproxy-private.pid) -st $(</var/run/haproxy-private.pid)

The latest set of predefined SSL parameters (2015-05) use ECDHE ciphers, not DHE, and are therefore not vulnerable to Logjam. See the Amazon documentation.

The SSH protocol is safe from the LogJam attack in which an active attacker can force the connection down to export-grade cryptography. However, many SSH implementations, including OpenSSH use fixed primes, including the 1024-bit Oakley Group 2. There are a couple of options. The first and easiest option is to force clients to use elliptic-curve Diffie-Hellman. Specificially, Curve 25519. This can be accomplished by setting your Key Exchange algorithms as follows:

KexAlgorithms [email protected]

If you want to continue to support non-elliptic-curve Diffie-Hellman, at the very least, you should disable Group 1 support, by removing the diffie-hellman-group1-sha1 Key Exchange. It is fine to leave diffie-hellman-group14-sha1, which uses a 2048-bit prime.

It is also an option to generate new Diffie-Hellman groups:

ssh-keygen -G moduli-2048.candidates -b 2048
ssh-keygen -T moduli-2048 -f moduli-2048.candidates

You then need to install moduli-2048 to your system's moduli file. In Debian/Ubuntu, this is located at /etc/ssh/moduli. SSH chooses (practically randomly) from this file, so you should replace your existing moduli file with the new groups you generated instead of appending these new groups.

Did this answer your question?