[OpenVPN-NL] Security advisory: Logjam / weakdh
steffan.karger at fox-it.com
Wed May 20 23:37:22 CEST 2015
OpenVPN-NL is not vulnerable to the Logjam attack [logjam] and no action
is required from OpenVPN-NL administrators or users.
Critical vulnerabilities in Diffie-Hellman key-exchanges and the TLS
protocol, dubbed 'Logjam', have been published this morning [logjam].
The authors of [logjam] show a man-in-the-middle attack on TLS that
downgrades the DH parameters used for key-exchange to EXPORT-grade
(512-bits) parameters, if both client and server have support for
Furthermore, the authors show they can break 512-bits DH key exchanges,
based on a known DH group, within 90 seconds. They argue the scientific
community should be able to break 768-bits parameters and state actors
might be able to break 1024-bits parameters.
OpenVPN-NL is not vulnerable to Logjam for the following reasons:
1) OpenVPN encourages users to generate their own DH-parameters, rather
than using a known DH-group.
2) OpenVPN-NL enforces the use of 2048-bit DH parameters, which is
considered large enough to be infeasible to break.
3) OpenVPN-NL can not be configured to support export-grade DH parameters.
Furthermore, use of the recommended tls-auth feature would block the
man-in-the-middle downgrade attack.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
Url : http://lists.fox-it.com/pipermail/list-openvpn-nl/attachments/20150520/5c7de07e/attachment.bin
More information about the list-openvpn-nl