Summary:

OpenVPN-NL is not vulnerable to the Logjam attack [logjam] and no action is required from OpenVPN-NL administrators or users.

Full description:

Critical vulnerabilities in Diffie-Hellman key-exchanges and the TLS protocol, dubbed 'Logjam', have been published this morning [logjam].

The authors of [logjam] show a man-in-the-middle attack on TLS that downgrades the DH parameters used for key-exchange to EXPORT-grade (512-bits) parameters, if both client and server have support for export-grade parameters.

Furthermore, the authors show they can break 512-bits DH key exchanges, based on a known DH group, within 90 seconds. They argue the scientific community should be able to break 768-bits parameters and state actors might be able to break 1024-bits parameters.

OpenVPN-NL is not vulnerable to Logjam for the following reasons:

1) OpenVPN encourages users to generate their own DH-parameters, rather than using a known DH-group.

2) OpenVPN-NL enforces the use of 2048-bit DH parameters, which is considered large enough to be infeasible to break.

3) OpenVPN-NL can not be configured to support export-grade DH parameters.

Furthermore, use of the recommended tls-auth feature would block the man-in-the-middle downgrade attack.

[logjam] https://weakdh.org/