Last week, a team of security researchers released a report that exposes weaknesses in the way that forward secrecy has been deployed on the Internet. Today, SSLMate is releasing version 1.2.0 of the SSLMate client, featuring updated configuration templates to help you secure your servers against these weaknesses.

The first part of the research describes the "Logjam" attack, which forces an SSL connection to downgrade to easily broken "export-grade" cryptography, a misfeature left over from the 1990s when the U.S. government tried to regulate encryption. This attack can be prevented by disabling export ciphers, something which SSLMate's configuration generator has always done. If you have been using sslmate mkconfig to configure your servers, you have never been vulnerable to this attack.

The second part of the research estimates that the cost of passively decrypting SSL connections that use the finite field Diffie-Hellman key exchange is within the reach of state-level adversaries when common, non-unique, 1024-bit parameters are used. Unfortunately, a lot of server programs use 1024-bit Diffie-Hellman with common parameters. The researchers infer, based on leaked documents, that the NSA has been exploiting this weakness to decrypt Internet communications.

Fortunately, the configuration generated by sslmate mkconfig is mostly unaffected - our recommended cipher list has always preferred the stronger and faster elliptic curve Diffie-Hellman, which is unaffected by this attack. However, some SSL clients, particularly older browsers, don't support elliptic curves, and would instead negotiate 1024-bit finite field Diffie-Hellman with common parameters. Therefore, SSLMate 1.2.0 now ships a file containing strong, 2048-bit Diffie-Hellman parameters, and sslmate mkconfig outputs the configuration directives necessary to use these stronger parameters.

There are a couple caveats. First, Apache, prior to 2.4.7, cannot use anything but common 1024-bit parameters (although your distro might have backported a fix - check the package changelog). Second, Java clients, prior to Java 8, cannot connect to servers that use Diffie-Hellman parameters larger than 1024 bits. If you are using an older Apache or need to support old Java clients, you should just disable finite field Diffie-Hellman by prefixing the cipher list returned by sslmate mkconfig with !EDH:. Modern clients will continue to use elliptic curve Diffie-Hellman with forward secrecy, while older clients will use the RSA handshake. Although the RSA handshake does not provide forward secrecy, 2048-bit RSA (as used by all SSLMate certificates) is stronger than 1024-bit finite field Diffie-Hellman.

Getting SSLMate 1.2.0

If you've installed SSLMate through APT or Yum, upgrading to 1.2.0 is as simple as running apt-get update && apt-get upgrade or yum update. If you're using Homebrew, an updated formula should be available later today. Otherwise, head over to our install page or our GitHub repository to download and install the new version.

Technical Details

SSLMate installs the Diffie-Hellman parameters to its share directory (/usr/share/sslmate on most operating systems). The file containing the parameters is in the PEM-encoded format understood by OpenSSL. The parameters are the group 14 from RFC 3526. Although these are common, non-unique parameters, it's OK to use them - 2048-bit parameters, whether common or unique, are outside the reach of the pre-computation attack described by the Logjam researchers. Any breakthrough that fells 2048-bit Diffie-Hellman with non-unique parameters is virtually certain to also fell 2048-bit Diffie-Hellman with unique parameters.