I dearly hope that by now readers are well aware of Logjam.
Logjam affects not only SSL traffic over the web, as most of the Internet will have us believe. It affects any kind of traffic that relies on TLS. That includes SMTP traffic, SSH traffic, OpenVPN traffic, among others. There are quick guides available on how to secure several different types of traffic affected by Logjam, including this one provided by the folks who discovered the issue. Cloudfare has a nice write-up about the Logjam issue as well.
I’m here to talk about OpenVPN and how to protect VPN traffic from being affected by Logjam. I had trouble finding information about OpenVPN in relation to Logjam.
If a DHPARAM key smaller or equal to 1024 bits in size is being used, a new key of at least the size 2048 bits must be generated and used. The command
openssl dhparam -out dhparams.pem 2048 generates a new key of size 2048.
OpenSSL must be updated to the latest version available. At the time this is being written, the latest version available of OpenSSL is 1.0.2a. In the 1.0.2a version of OpenSSL, the EXPORT class of cipher suites is disabled by default. It is the Achilles’ heel exploited by Logjam in particular. This means that OpenSSL will by default refuse connections which attempt to use any of the EXPORT grade cipher suites.
The configuration of the OpenVPN server must be examined. In particular, attention must be paid to the “tls-cipher” setting. If this setting is defined in the configuration, particular attention must be paid on whether any EXPORT grade cipher suites are defined. If any EXPORT grade cipher suites are defined, they must be removed. This section on OpenVPN Hardening provides a secure list of ciphers to boot. If the setting is left out from the configuration, a look at the output of the
openvpn --show-tls should show whether weak, EXPORT grade ciphers are accepted by default.
According to this blog post by OpenSSL about Logjam, OpenSSL plans to release 1.0.2b which will reject connections that use a DHPARAM key <= 768 bits in size. Once available, servers and clients should be updated quickly to use it.