Homo Sapiens Neuromatrix - Mot-clé - SSLLe weblog de Maxime DERCHE, hacker UNIX.
Lille, Université, logiciels libres, OpenBSD, Ruby on Rails, etc.2020-04-22T14:55:42+02:00Maxime DERCHEurn:md5:229c7bc56ec0ba82f9368ba65a0fe2dcDotclearLogjam attackurn:md5:9283712db0109cbed64fe06e174871a82015-05-20T15:47:00+02:002015-05-20T15:47:00+02:00Maxime DERCHEInformatiqueDiffie-HellmanLogjamSSLTLS <p>A new wide-impact cryptographic attack has been published a few hours ago: <a href="https://weakdh.org/" hreflang="en" title="the Logjam attack">Logjam</a>.</p>
<p>It's an attack on the <a href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange" hreflang="en" title="Diffie–Hellman key exchange">Diffie-Hellman key exchange mechanism</a>, with impact:</p>
<ul>
<li>on TLS/SSL if the EXPORT algorithms are still enabled and if Diffie-Hellman parameters are lower than 2048-bit long;</li>
<li>on SSH when old versions of OpenSSH are still in use.</li>
</ul>
<p>For this personal web site I use 8192-bit Diffie-Hellman parameters for some times now, so even if it may seem a high value I can at least consider me as walking on the safe side. ;-)</p>
<p>I'm wondering how the Apache HTTPd users will get out of this particular risk: there is no way to select a fixed set of Diffie-Hellman parameters in the configuration, even in the 2.4 versions (the DH length is automatically chosen based on the length of the key in the certificate, see <a href="http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html" hreflang="en" title="Increasing DHE strength on Apache 2.4.x">Ivan Ristić's explanation</a>). Final thought on this subject: Nagios NRPE (the Nagios monitoring agent) still uses 512-bit DH parameters with ADH for the "security" of its communication with the monitoring station...</p>https://www.mouet-mouet.net/maxime/blog/index.php?post/Logjam-attack#comment-formhttps://www.mouet-mouet.net/maxime/blog/index.php?feed/atom/comments/45POODLE was not here.urn:md5:f0259d4decccc0c475a5431ff65297a32014-10-15T16:19:00+02:002014-10-15T16:19:00+02:00Maxime DERCHEProjets PersonnelsPOODLESSLTLS <p>Just for fun: SSLv3 has been disabled here for months, if not years. ;-)</p>
<p>Song of the day: Didier Super, "Petit caniche, peluche pour vieux"</p>https://www.mouet-mouet.net/maxime/blog/index.php?post/POODLE-was-not-here.#comment-formhttps://www.mouet-mouet.net/maxime/blog/index.php?feed/atom/comments/44