Vesta Control Panel - Forum

Community Forum
http://forum.vestacp.com/

LOGJAM SSL bug

http://forum.vestacp.com/viewtopic.php?f=11&t=8415

Page 1 of 1

LOGJAM SSL bug

Posted: Wed May 20, 2015 12:01 pm
by Tralapo
Here we go again... a new failure in the world of SSL. This time it's called LOGJAM. For who doesn't know what this is, see here: https://weakdh.org/

They made a workaround for sysadmins, which can be found here: https://weakdh.org/sysadmin.html

Are there any things we should do extra/different with VestaCP installed?

Re: LOGJAM SSL bug

Posted: Sun May 24, 2015 6:03 pm
by skurudo
Tralapo wrote: Are there any things we should do extra/different with VestaCP installed?
If you're use self-signed certificate, then why you worry? :)
If not, just test your system. nginx needs customization after install ssl certification.

Re: LOGJAM SSL bug

Posted: Thu Jun 04, 2015 12:12 am
by rnbmafia
Generate dhparams with next command ->

openssl dhparam -out dhparams.pem 4096

Edit /etc/nginx/nginx.conf

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_dhparam *.*/dhparams.pem;

*.* = path to the generated file

This should fix the issues with Logjam :)

Re: LOGJAM SSL bug

Posted: Thu Jun 04, 2015 5:16 am
by skurudo
rnbmafia wrote: Edit /etc/nginx/nginx.conf
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
Too much ciphers, don't you think?

Re: LOGJAM SSL bug

Posted: Thu Jun 04, 2015 5:17 am
by skurudo
https://weakdh.org/sysadmin.html- test your system online

https://weakdh.org/ - about logjam

Re: LOGJAM SSL bug

Posted: Thu Jun 04, 2015 5:44 pm
by rnbmafia
Yes they are many , is that bad ?

Re: LOGJAM SSL bug

Posted: Thu Jun 04, 2015 6:51 pm
by skurudo
rnbmafia wrote:Yes they are many , is that bad ?
The directives ssl_protocols and ssl_ciphers can be used to limit connections to include only the strong versions and ciphers of SSL/TLS. (c) from Nginx docs. Why use not strong or cheap algoritm?
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/