

Attack of the week: Logjam - jcurbo
http://blog.cryptographyengineering.com/2015/05/attack-of-week-logjam.html

======
nadams
If you are using Debian 7 or similar distro with an older version of Apache
you can avoid it by using the following ciphers[1]:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-
AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-
AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-
SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-
CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-
SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-
AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-
CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

However if you are using Apache 2.4.8 or later just follow the instructions
here[2]

Either should get you an "A" on SSL labs test[3]

[1] [http://serverfault.com/questions/693306/trying-to-
mitigate-l...](http://serverfault.com/questions/693306/trying-to-mitigate-
logjam-on-apache-2-2-16/)

[2] [https://weakdh.org/sysadmin.html](https://weakdh.org/sysadmin.html)

[3]
[https://www.ssllabs.com/ssltest/analyze.html](https://www.ssllabs.com/ssltest/analyze.html)

------
dolfje
I encourage all people to check their website. On our checker
([http://security.uwsoftware.be/logjam](http://security.uwsoftware.be/logjam))
we see that 59% is still vulnerable (<= 1024 key). Even after checking most
people don't upgrade. Note: the solution isn't that difficult (see
[https://weakdh.org/sysadmin.html](https://weakdh.org/sysadmin.html))

------
yuhong
What is also fun is that neither IE or Netscape support DHE_RSA_EXPORT, and
they didn't bother with DHE_RSA_EXPORT1024 at all (only DHE_DSS_EXPORT1024).

