-
Notifications
You must be signed in to change notification settings - Fork 0
SSL TLS Diffie‐Hellman Modulus = 1024 Bits (Logjam)
Fabien edited this page May 22, 2024
·
1 revision
Using Diffie-Hellman key exchange with a modulus of 1024 bits or less (commonly known as the Logjam vulnerability) exposes SSL/TLS sessions to increased risk of interception by attackers capable of breaking the weaker encryption.
- Severity: High
- Decryption of Secure Traffic: Allows attackers to potentially decrypt past and future SSL/TLS sessions.
- Man-in-the-Middle Attacks: Facilitates eavesdropping on encrypted communications.
- Undermined Data Integrity and Confidentiality: Threatens the security guarantees that SSL/TLS protocols are supposed to provide.
This vulnerability stems from:
- Legacy Encryption Support: Maintaining compatibility with older systems that use weaker encryption standards.
- Default Configurations: Systems and software that default to 1024-bit keys without requiring stronger configurations.
Upgrading to Stronger Key Sizes:
To mitigate this vulnerability and secure SSL/TLS implementations:
-
Increase Diffie-Hellman Key Size:
- Configure servers to use a Diffie-Hellman modulus of at least 2048 bits. This adjustment requires changes in the SSL/TLS configuration files on your server.
-
Update Server Configurations:
For Apache:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256- GCM-SHA384 SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On # Ensure DH parameters are larger than 2048 bits SSLDHParameters /path/to/dhparams.pem
For Nginx:
ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM- SHA384'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_dhparam /path/to/dhparams.pem;
-
Generate Strong DH Parameters:
-
Use OpenSSL to generate a new DH parameters file with a larger key size:
openssl dhparam -out dhparams.pem 2048
-
Verifying the Security of the Configuration:
Test your server’s SSL/TLS configuration using:
openssl s_client -connect yourdomain.com:443 -cipher 'DHE-RSA-AES256-GCM-SHA384'Ensure that the connection uses the new, stronger parameters.
- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities