Improving Qualys SSL server test results regarding weak Diffie-Hellman and Logjam attack

Followup on earlier Improving Qualys SSL server test results regarding Poodle attack and SHA1, the following should secure servers I use (openssh/nginx/exim/dovecot on Debian/Devuan) against Logjam attack on TLS protocol tied to weak Diffie-Hellman.

OpenSSH shell server

Run the following and look for the line KEX algorithms. It is fine unless diffie-hellman-group1-sha1 shows up.

ssh -vvv serverhostname

Debian default is ok.

Nginx HTTPs server

cd /etc/ssl
openssl dhparam -out dhparams.pem 2048

Edit /etc/nginx/nginx.conf:

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;

Restart:

invoke-rc.d nginx restart

Dovecot IMAPs server

Edit /etc/dovecot/conf.d/10-ssl.conf:

# How often to regenerate the SSL parameters file. Generation is quite CPU      
# intensive operation. The value is in hours, 0 disables regeneration           
# entirely.                                                                     
ssl_parameters_regenerate = 168h
ssl_dh_parameters_length = 2048

# SSL protocols to use                                                          
ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use                                                            
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Restart:

invoke-rc.d dovecot restart

Exim SMTPs server

In my case, the relevant file /etc/exim4/conf.d/main/00_stalag13-config_0ssl is managed by my -exim package.

# deactivate outdated SSLv3 (compiled with TLS)
# deactivate weak diffie-hellman
tls_require_ciphers = NORMAL:!DHE-RSA:!DHE-DSS:!DHE-PSK:!ANON-DH:!MD5:!SRP:!PSK:!VERS-SSL3.0

Restart:

invoke-rc.d exim restart

This should gives a A rating as of today, except regarding possibly self-signed certificate. There is a convenient tool to check Logjam vulnerability at keycdn.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s