Avoid Logjam Attack with Pound
This article describes how the Logjam Attack can be prevented with the reverse-proxy Pound. The following instructions assume that you are using the specially patched Pound version 2.6-pcidss from Joe Gooch. More information about the Logjam Attack can be found at the OpenSSL Blog and weakdh.org.
First we are generating a DH group file with OpenSSL.
openssl dhparam -out /etc/pound/dhparams.pem 2048
Enabling DHparams in Pound
The global directive "DHParams" has been added to Pound 2.6-pcidss with the following commit.
Since this is a global directive, please specify it at the top level of the Pound configuration (not inside ListenHTTPS).
Restart Pound afterwards.
We recommend that you check your website before and after the restart with Qualys SSL Labs Check:
- Pound version 2.6 with pcidss Patches from Joe Gooch (github.com)
- Logjam, FREAK and Upcoming Changes in OpenSSL (openssl.org)
- The Logjam Attack (weakdh.org)
- DHParams Patch (github.com)
Author: Christoph Mitasch
Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.