Avoid Logjam Attack with Pound

From Thomas-Krenn-Wiki
Jump to: navigation, search

This article describes how the Logjam Attack can be prevented with the reverse-proxy Pound. The following instructions assume that you are using the specially patched Pound version 2.6-pcidss from Joe Gooch.[1] More information about the Logjam Attack can be found at the OpenSSL Blog and weakdh.org.[2][3]

Diffie-Hellman group

First we are generating a DH group file with OpenSSL.

openssl dhparam -out /etc/pound/dhparams.pem 2048

Enabling DHparams in Pound

The global directive "DHParams" has been added to Pound 2.6-pcidss with the following commit.[4]

Since this is a global directive, please specify it at the top level of the Pound configuration (not inside ListenHTTPS).

DHParams "/etc/pound/dhparams.pem"

Restart Pound afterwards.

We recommend that you check your website before and after the restart with Qualys SSL Labs Check:

References

  1. Pound version 2.6 with pcidss Patches from Joe Gooch (github.com)
  2. Logjam, FREAK and Upcoming Changes in OpenSSL (openssl.org)
  3. The Logjam Attack (weakdh.org)
  4. DHParams Patch (github.com)


Foto Christoph Mitasch.jpg

Author: Christoph Mitasch

Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.