How to fix the Logjam vulnerability in OpenVPN server config?
Solution 1:
The attacks only affect OpenVPN in very limited ways, because:
- OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params can be broken, that is still very expensive. Probably too expensive for your data if you don't share the group with others.
- OpenVPN does not support EXPORT DH parameters and thus the TLS rollback attack does not apply to OpenVPN.
To be on the safe side, use DH params of at least 2048 bits. Updating DH parameters is easy and only needs a change on the server. Generate new params using e.g.
$ openssl dhparam -out dh3072.pem 3072
then update your server config to use these new parameters
dh dh3072.pem
and restart the server.
Solution 2:
Briefly, the following points can be used as reference:
- Ensure that the DH params key is >= 2048 bits in size. If not, it should be re-generated.
- Ensure that the
tls-cipher
setting in the OpenVPN configuration file isn't overwritten, or if it is, that no weak and export-grade ciphers are included. (If it is not defined at all in the configuration, the list of supported ciphers for the version of OpenVPN installed can be checked with the command line:openvpn --show-tls
. - Ensure that the latest version of OpenSSL is installed. At this point in time, it is 1.0.2a. The export cipher functionality is disabled on this version, but it still allows the use of weaker DH keys.
PS: I wrote a blog post about it which says is the expanded version of the tl;dr given above.