Menu
▾
▴
Re: [Openvpn-users] Logjam: new tls/dh attack
|
From: Steffan K. <st...@ka...> - 2015-05-21 14:50:24
|
On Thu, May 21, 2015 at 3:58 PM, Jan Just Keijser <ja...@ni...> wrote: > On 21/05/15 15:11, Kapetanakis Giannis wrote: >> Just a heads up on this new attack >> https://weakdh.org/ >> > the short gist of this attack is: upgrade your DH param file to 2048 > bits or more otherwise you're vulnerable :) This is true, but in the case of OpenVPN the case is less horrible, because: 1) OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params *can* be broken, that is still *very* expensive. Probably too expensive for your data if you don't share the group with others. 2) OpenVPN's tls-auth feature can prevent the downgrade attack on TLS from happening (but, only if you use tls-auth, of course). Still, use DH params of at least 2048 bits, please! Upgrading is easy and only needs a change on the server. Generate new params using e.g.: openssl dhparam -out dh3072.pem 3072 update your server config to use this file: dh dh3072.pem and restart the server. -Steffan |
