stefan's blag and stuff

Blog – 2015-05-23 – Wrong again - Logjam

Dammit. Wrong again. In the last blog post I recommended to use a well choosen prime, e.g. from a RFC, for the Diffie Hellman Parameters. If you have read the news lately, you will have noticed that this is the totally wrong thing to do, because this increases the value for an attacker to start a costly precomputation to attack a lot of different servers at the same time. That's one part of the Logjam attack. The other thing is a downgrade vulnerable on TLS connections. See weakdh.org and Bruce Schneiers Blog for details.

How to fix the mess?

The new correct way to handle the Diffie Hellman Parameters is to generate an unique at least 2048 bit prime for each server or service. You should not reuse the prime on multiple servers, since an attacker must carry out the precomputation for each prime he wants to attack. Ok, how can I do it right?

First you have to generate your own Diffie Hellman Parameters. This can easily be done with openssl.

$ openssl dhparam -out dhparams.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[...]
$ openssl dhparam -text -noout -in dhparams.pem
    PKCS#3 DH Parameters: (2048 bit)
        prime:
            00:d9:ab:c4:15:f8:e1:43:ba:86:36:9d:ea:d2:60:
            25:ab:67:55:26:60:52:e3:24:2f:6a:39:b5:6f:65:
            19:76:53:ca:79:4b:af:9d:a1:e1:fb:aa:a5:cd:52:
            9a:49:94:98:84:bd:26:01:f3:7a:a3:68:5c:56:11:
            41:d0:82:f8:0d:9c:da:d7:ff:04:f6:a1:d7:49:95:
            92:99:b3:04:0f:02:3b:89:b4:d5:9b:b7:e9:e8:4b:
            7e:99:77:a5:f2:6a:35:ee:3a:5e:33:17:d5:24:62:
            03:cb:ff:ba:2b:d6:84:d8:da:9d:1c:de:95:c0:56:
            1e:e0:5b:94:0d:22:c0:f7:e6:46:27:ea:cc:29:3d:
            32:07:be:df:f5:bb:94:59:3e:61:a7:0b:e9:f1:81:
            a8:3b:10:90:b2:97:6d:ae:c9:96:10:48:52:5a:bf:
            17:ca:b1:2f:aa:b3:46:b8:9f:28:7a:7b:6a:00:90:
            63:1a:e2:f1:6e:a6:78:b2:70:02:a6:93:c8:9e:0e:
            4a:fa:21:e6:81:63:55:9a:54:49:33:65:49:82:1b:
            e9:6a:65:09:60:4c:b1:f9:fd:07:aa:68:65:af:86:
            79:e7:cf:1f:17:df:a2:02:a2:59:72:d0:3a:90:02:
            5b:9d:46:0f:75:f7:79:2d:7a:58:8b:a9:1e:02:3e:
            60:7b
        generator: 2 (0x2)

Second the old parameters are deleted and the new parameters are put in place.

$ rm /etc/courier/dhparams.pem
$ mv dhparams.pem /etc/courier/dhparams.pem
$ vim /etc/courier/imapd-ssl
TLS_DHPARAMS=/etc/courier/dhparams.pem
$ systemctl restart courier-imap-ssl.service

And once again check the connection with openssl version 1.0.2a.

$ openssl s_client -host stcim.de -port 993
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits

And the same for nginx: Generate an unique prime and put it into the nginx configuration directory.

$ openssl dhparam -out dhparams.pem 2048
$ mv dhparams.pem /etc/nginx/keys/dhparams.pem
$ vim /etc/nginx/nginx.conf
        ssl_dhparam          /etc/nginx/keys/dhparams.pem;
$ systemctl reload nginx.service

Done! … and don't forget your OpenSSH daemon.