Avoid Logjam Attack with Pound
Please note that this article / this category refers either on older software / hardware components or is no longer maintained for other reasons. This page is no longer updated and is purely for reference purposes still here in the archive available. |
---|
This article describes how the Logjam Attack can be prevented with the reverse-proxy Pound. The following instructions assume that you are using the specially patched Pound version 2.6-pcidss from Joe Gooch.[1] More information about the Logjam Attack can be found at the OpenSSL Blog and weakdh.org.[2][3]
Diffie-Hellman group
First we are generating a DH group file with OpenSSL.
openssl dhparam -out /etc/pound/dhparams.pem 2048
Enabling DHparams in Pound
The global directive "DHParams" has been added to Pound 2.6-pcidss with the following commit.[4]
Since this is a global directive, please specify it at the top level of the Pound configuration (not inside ListenHTTPS).
DHParams "/etc/pound/dhparams.pem"
Restart Pound afterwards.
We recommend that you check your website before and after the restart with Qualys SSL Labs Check:
References
- ↑ Pound version 2.6 with pcidss Patches from Joe Gooch (github.com)
- ↑ Logjam, FREAK and Upcoming Changes in OpenSSL (openssl.org)
- ↑ The Logjam Attack (weakdh.org)
- ↑ DHParams Patch (github.com)
Author: Christoph Mitasch Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.
|