Date: Thu, 21 May 2015 09:33:42 +0100 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-security@freebsd.org Cc: freebsd-ports@freebsd.org Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? Message-ID: <555D9866.7030507@freebsd.org> In-Reply-To: <555D0F37.8040605@delphij.net> References: <201505202140.t4KLekE6081029@fire.js.berklix.net> <555D0F37.8040605@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --tHDSLuTq8xdtLdDfvLg1dMmmOQ0rKiSIV Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 05/20/15 23:48, Xin Li wrote: > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. The part of that https://weakdh.org/ site that concerns me most is the statement about 25.7% of SSH servers being vulnerable if the 1024bit D-H group is broken. We've got pretty good instructions for hardening anything that uses TLS against this attack, but not a lot on SSH. About the only relevant thing I've found is: http://blog.mro.name/2015/05/hardening-ssh-debian-wheezy/ which inter-alia suggests upgrading to OpenSSH-6.6 -- which has been in FreeBSD-10 since March ---, modifying some config parameters: KexAlgorithms, Ciphers, MACs and then regenerating ed25519 and rsa host keys. Err... what? How are ed25519 and rsa host keys affected by a downgrade attack on Diffie-Helman? Cheers, Matthew --tHDSLuTq8xdtLdDfvLg1dMmmOQ0rKiSIV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVXZh4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnX58QALHD2YU0j6XRLtWYOFer79hr 1piRUhU2qYfs00t3a8D3zei5T2gN64ZWkC/zaYRsQK7ZjladKji4T5Wsp08T46xI Zct93n11f20Nw1kE9qDh43XV/Oun7sTVcQrKmvvaLecx9XwUKTyyWYVrMV5LCqCN +UoTUQPHRy0FXuPNcf3vIV+2XkUuKHOfCGJNSspcsFsHV01dPFzGgOKbTJNU94Xs 3BtbeGgcJtd+bSzfwHwQdY34O9YUYHb7AR9o2Ru0t25k5MeKf7O0eOPZ9yEkJb+r w9rzOz3sUAuadvIuWRK3OOyCB55C92q4dGYfWV6u50+BTTj1D77NiTF/SYTWoLri OdOABz6n3y9EOa+tgKkxTaL5v2f3Pn13JDA+O9x70Jpygb7sfPGGqyX8yemr2EHE 7vdRbvNi5ViLCPEWkH8vGmm8IgAthMQ/jc6KGboOLE6bvYIJTAhJIxgxlSxeMcwD eFT7iMXmCgmRvi/PEeyB1zCcujQ4EpGZQvefz5h/sKBhxWH3F1vUzKruT72FjjV2 dy7YxSRnQ6cvKzte+3ZYhcM40Cj6NJhaikzbZvlAePDy1k6kNCSO/PPKwnTcdewy mn+ETUEa573K7y90Q4FGTMhzcSHywPdWsaYZnjxwvBYhT+wDbv+HuNYOOQpfpsiQ MgHKjP33N0g7LLLrwYZy =F9Z5 -----END PGP SIGNATURE----- --tHDSLuTq8xdtLdDfvLg1dMmmOQ0rKiSIV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?555D9866.7030507>