Logjam attack

written by Christian Kauhaus on 2015-05-22

A few days ago details about of the Logjam attack have been published. This attack allows to trick Internet servers into using a weak TLS cipher suite. After doing so, traffic encryption can easily be broken. What is the Flying Circus doing against it? To protect against the problem, several steps need to be taken:

  • Weak ciphers (so-called "export ciphers") should generally not be used.
  • 1024 bit Diffie-Hellman parameter sets are possibly too weak to resist break attempts from three-letter agencies. Instead, 2048 bit DH parameter sets should be used.
  • Pre-generated, static Diffie-Hellman parameter sets should not be used. Instead, every server should generate its own DH parameter set.
We are generally not using export ciphers, so the first part is not a problem. In the upcoming release, we are improving DH parameter management (the second and third part) for the following components:

  • nginx (frontend web server)
  • Postfix (mail server)
  • Dovecot (mail server)
  • OpenSSH (login; see below)
Unfortunately, we cannot fix Apache web servers. These are used only for internal services, though.

Our changed OpenSSH configuration will disable DSA host keys. We also recommend against DSA client keys for login authentication. Please register a ECDSA or RSA client key with our support.

Get in touch

Call us or send us an email.

mail: mail@flyingcircus.io
fon: +49 345 219 401 0
fax: +49 345 219 401 28

Flying Circus Internet Operations GmbH
Leipziger Str. 70/71
06108 Halle (Saale)

Commercial register
AG Stendal as HRB 21169
VAT ID: DE297423633

Managing Directors:
Christian Theune, Christian Zagrodnick

flyingcircus.io — 2016-2021Privacy