Test your server against the LOGJAM vulnerability



How to fix LOGJAM

Apache < 2.4.8

Because Apache (with OpenSSL) prior to 2.4.8 has no possibility to use other DH input parameters, this solution mitigates the attack by avoiding the use of DHE ciphers. It also disables SSLv2 and SSLv3 to avoid Poodle Attack.

Change the global configuration file or add within the virtual hosts files.

  • /usr/local/apache2/conf/httpd.conf (Source)
  • /etc/apache2/apache2.conf (Ubuntu)
  • /etc/httpd/conf/httpd.conf (Fedora, CentOS, RHEL, Mandriva)
  • /etc/apache2/httpd.conf (OSX)

      SSLProtocol all -SSLv2 -SSLv3
      SSLCompression off
      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
      SSLHonorCipherOrder on 

And reload the apache2 configuration

      sudo service apache2 reload 

The only downfall is that IE6 is not supported with this configuration.


Apache >= 2.4.8

To mitigate the attack, we change the DH input parameters. Therefor we first have to create new input parameters

      openssl dhparam -out dhparams.pem 2048 

Then we can add the following to the global configuration file or within the virtual hosts

  • /usr/local/apache2/conf/httpd.conf (Source)
  • /etc/apache2/apache2.conf (Ubuntu)
  • /etc/httpd/conf/httpd.conf (Fedora, CentOS, RHEL, Mandriva)
  • /etc/apache2/httpd.conf (OSX)

      SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

And reload the apache2 configuration

      sudo service apache2 reload 

It is still recommanded to disable some SSL ciphers and some SSL protocols, not to mitigate this attack. But to mitigate other vurnabilities. So add following configuration to the apache2 configuration or to the virtual hosts files.

      SSLProtocol all -SSLv2 -SSLv3
      SSLCompression off
      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
      SSLHonorCipherOrder on 

Note. The last step will disable support for IE6 on your server.


Nginx

To mitigate the attack, we change the DH input parameters. Therefor we first have to create new input parameters

      openssl dhparam -out dhparams.pem 2048 

Then we can add the following to the global configuration file /etc/nginx/sites-enabled/default

      ssl_dhparam {path to dhparams.pem}

And reload the nginx configuration

      sudo service nginx reload 

It is still recommanded to disable some SSL ciphers, not to mitigate this attack. But to mitigate other vurnabilities. So add following configuration to the nginx configuration.

      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
      ssl_prefer_server_ciphers on; 


Who are we?

We are a startup creating a platform for continuous vulnerability scanning of servers. One will receive alerts when new security exploits are uncovered that hit their server, together with possible resolutions. Our platform is still not quite finished, but you can follow our progress on twitter. Subscribe to our twitter if you want to get notified when our platform is ready.