Openvpn – How to fix the Logjam vulnerability in OpenVPN server config

logjamopenvpntls

As of this writing (Day-2), there are quite few accurate guidelines as to how to mitigate Logjam for Apache and other web servers, such as this page:

https://weakdh.org/sysadmin.html

What are the similar instructions for OpenVPN servers?

Is OpenVPN affected at all? (I guess yes since it is a TLS protocol issue).

Best Answer

The attacks only affect OpenVPN in very limited ways, because:

  1. OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params can be broken, that is still very expensive. Probably too expensive for your data if you don't share the group with others.
  2. OpenVPN does not support EXPORT DH parameters and thus the TLS rollback attack does not apply to OpenVPN.

To be on the safe side, use DH params of at least 2048 bits. Updating DH parameters is easy and only needs a change on the server. Generate new params using e.g.

$ openssl dhparam -out dh3072.pem 3072

then update your server config to use these new parameters

dh dh3072.pem

and restart the server.

Related Topic