Followup on earlier Improving Qualys SSL server test results regarding Poodle attack and SHA1, the following should secure servers I use (openssh/nginx/exim/dovecot on Debian/Devuan) against Logjam attack on TLS protocol tied to weak Diffie-Hellman.
OpenSSH shell server
Run the following and look for the line KEX algorithms. It is fine unless diffie-hellman-group1-sha1 shows up.
ssh -vvv serverhostname
Debian default is ok.
Nginx HTTPs server
cd /etc/ssl openssl dhparam -out dhparams.pem 2048
Edit /etc/nginx/nginx.conf:
## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparams.pem;
Restart:
invoke-rc.d nginx restart
Dovecot IMAPs server
Edit /etc/dovecot/conf.d/10-ssl.conf:
# How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. ssl_parameters_regenerate = 168h ssl_dh_parameters_length = 2048 # SSL protocols to use ssl_protocols = !SSLv3 # note: add also !SSLv2 if openssl < 1.1 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Restart:
invoke-rc.d dovecot restart
Exim SMTPs server
In my case, the relevant file /etc/exim4/conf.d/main/00_stalag13-config_0ssl is managed by my -exim package.
# deactivate outdated SSLv3 (compiled with TLS) # deactivate weak diffie-hellman tls_require_ciphers = NORMAL:!DHE-RSA:!DHE-DSS:!DHE-PSK:!ANON-DH:!MD5:!SRP:!PSK:!VERS-SSL3.0
Restart:
invoke-rc.d exim restart
This should gives a A rating as of today, except regarding possibly self-signed certificate. There is a convenient tool to check Logjam vulnerability at keycdn.com.
# cd /scratch 