[OpenVPN-NL] Security advisory: Logjam / weakdh

[Steffan Karger]

Summary:

OpenVPN-NL is not vulnerable to the Logjam attack [logjam] and no action
is required from OpenVPN-NL administrators or users.


Full description:

Critical vulnerabilities in Diffie-Hellman key-exchanges and the TLS
protocol, dubbed 'Logjam', have been published this morning [logjam].

The authors of [logjam] show a man-in-the-middle attack on TLS that
downgrades the DH parameters used for key-exchange to EXPORT-grade
(512-bits) parameters, if both client and server have support for
export-grade parameters.

Furthermore, the authors show they can break 512-bits DH key exchanges,
based on a known DH group, within 90 seconds. They argue the scientific
community should be able to break 768-bits parameters and state actors
might be able to break 1024-bits parameters.

OpenVPN-NL is not vulnerable to Logjam for the following reasons:

1) OpenVPN encourages users to generate their own DH-parameters, rather
than using a known DH-group.

2) OpenVPN-NL enforces the use of 2048-bit DH parameters, which is
considered large enough to be infeasible to break.

3) OpenVPN-NL can not be configured to support export-grade DH parameters.

Furthermore, use of the recommended tls-auth feature would block the
man-in-the-middle downgrade attack.


[logjam] https://weakdh.org/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
Url : http://lists.fox-it.com/pipermail/list-openvpn-nl/attachments/20150520/5c7de07e/attachment.bin