Summary:
OpenVPN-NL is not vulnerable to the Logjam attack [logjam] and no action
is required from OpenVPN-NL administrators or users.
Full description:
Critical vulnerabilities in Diffie-Hellman key-exchanges and the TLS
protocol, dubbed 'Logjam', have been published this morning [logjam].
The authors of [logjam] show a man-in-the-middle attack on TLS that
downgrades the DH parameters used for key-exchange to EXPORT-grade
(512-bits) parameters, if both client and server have support for
export-grade parameters.
Furthermore, the authors show they can break 512-bits DH key exchanges,
based on a known DH group, within 90 seconds. They argue the scientific
community should be able to break 768-bits parameters and state actors
might be able to break 1024-bits parameters.
OpenVPN-NL is not vulnerable to Logjam for the following reasons:
1) OpenVPN encourages users to generate their own DH-parameters, rather
than using a known DH-group.
2) OpenVPN-NL enforces the use of 2048-bit DH parameters, which is
considered large enough to be infeasible to break.
3) OpenVPN-NL can not be configured to support export-grade DH parameters.
Furthermore, use of the recommended tls-auth feature would block the
man-in-the-middle downgrade attack.
[logjam] https://weakdh.org/
