New logjam tls attack

just4t · May 21, 2015, 2:15pm

Hi Josh,
Seeing this yesterday report: https://serverpilot.io/blog/2015/05/20/logjam-tls-attack.html about Logjam TLS Attack I think could be an improvement to limit Diffie-Hellman cryptographic key exchange cyphers length to be 2048bits by default for all newly created Mail-in-a-Box servers and adding a default warning for OLD ones that could still use the 1024bits now considered WEAK.
Hope this helps,
Rgrds,

JoshData · May 21, 2015, 5:38pm

There was actually no time when Mail-in-a-Box generated a 1024-bit dhparam file. (We started with 2048 bits here.)

Since yesterday I started recording in git the ciphers offered by each of the services on the box. Hopefully we can get more eyes on the TLS configuration to make sure it’s right and stays right!

github.com

mail-in-a-box/mailinabox/blob/master/tests/tls_results.txt

PORT 25
-------

  * Deflate Compression:
      OK - Compression disabled          

  * Session Renegotiation:
      Client-initiated Renegotiations:   VULNERABLE - Server honors client-initiated renegotiations
      Secure Renegotiation:              OK - Supported

  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed  

  * Session Resumption:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket not assigned.

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

This file has been truncated. show original