search for: logjam

Hello, Does the recent Logjam[1] vulnerability affect Tinc? The security section of the Tinc website says: "Although tinc uses the OpenSSL library, it does not use the SSL protocol to establish connections between daemons" What would that mean, specifically, in regards to Logjam? Thank you for your time and...

On 05/26/2015 10:37 AM, Ron Leach wrote: > > https://weakdh.org/sysadmin.html > > includes altering DH parameters length to 2048, and re-specifying the > allowable cipher suites - they give their suggestion. It looks like there is an error on this page regarding regeneration. In current dovecots ssl_parameters_regenerate defaults to zero, and this means regeneration is

On 05/27/2015 09:55 AM, Rick Romero wrote: > Quoting Gedalya <gedalya at gedalya.net>: > >> On 05/26/2015 10:37 AM, Ron Leach wrote: >>> https://weakdh.org/sysadmin.html >>> >>> includes altering DH parameters length to 2048, and re-specifying the >>> allowable cipher suites - they give their suggestion. >> >> It looks like there

On 27/05/2015 05:22, Gedalya wrote: > It looks like there is an error on this page regarding regeneration. > In current dovecots ssl_parameters_regenerate defaults to zero, and > this means regeneration is disabled. The old default was 168 hours (1 > week). > The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is > confusing and could be understood to mean that the

>But when you write NOT to regenerate, are you saying that using larger primes makes regenerating unnecessary, or are you telling us that it's somehow harmful? For a given computational effort, you get the most bang-for-the-buck by choosing large parameters (and checking very carefully that they are "safe") rather than smaller parameters (and/or checking them less carefully)

> For a given computational effort, you get the most bang-for-the-buck by > choosing large parameters (and checking very carefully that they are > "safe") rather than smaller parameters (and/or checking them less > carefully) which you then regenerate. This discussion (on the OpenSSH mailing list) http://marc.info/?t=143221614200001 may be helpful to those thinking

>It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently. That's not really correct. If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else). It is computationally intensive to

Quoting Gedalya <gedalya at gedalya.net>: > On 05/27/2015 09:55 AM, Rick Romero wrote: >> Quoting Gedalya <gedalya at gedalya.net>: >> >>> On 05/26/2015 10:37 AM, Ron Leach wrote: >>>> https://weakdh.org/sysadmin.html >>>> >>>> includes altering DH parameters length to 2048, and re-specifying the >>>> allowable

Quoting Gedalya <gedalya at gedalya.net>: > On 05/26/2015 10:37 AM, Ron Leach wrote: >> https://weakdh.org/sysadmin.html >> >> includes altering DH parameters length to 2048, and re-specifying the >> allowable cipher suites - they give their suggestion. > > It looks like there is an error on this page regarding regeneration. In > current dovecots

List, good afternoon, I was reading up on a TLS Diffie Hellman protocol weakness described here https://weakdh.org/sysadmin.html which is similar to the earlier FREAK attack, and can result in downgrade of cipher suites. Part of the solution workaround that the researchers describe for Dovecot here https://weakdh.org/sysadmin.html includes altering DH parameters length to 2048, and

...ard a guess that this is the change causing your problem. > > * Fri Jun 26 2015 Tomas Mraz <tmraz at redhat.com> 0.9.8e-36 > - also change the default DH parameters in s_server to 1024 bits > > Here's some more info, > > https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ > > RH must have backported this fix to 0.9.8e. > > There seem to be many reports out there that the openssl update broke mysql, > but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, > so you're most likely on your own. I'...

In article <55D2ED32.6040000 at hogranch.com>, John R Pierce <pierce at hogranch.com> wrote: > On 8/18/2015 1:27 AM, Tony Mountifield wrote: > >> You should now be using mysql55 on CentOS-5, not mysql-5.0 > > That may well be the case, but isn't relevant to the point I'm making, > > which is that something changed in openssl-0.9.8e-36 that has broken

https://bugzilla.mindrot.org/show_bug.cgi?id=2302 Bug ID: 2302 Summary: ssh (and sshd) should not fall back to deselected KEX algos Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: security Priority: P5 Component: ssh

https://bugzilla.mindrot.org/show_bug.cgi?id=2302 Bug ID: 2302 Summary: ssh (and sshd) should not fall back to deselected KEX algos Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: security Priority: P5 Component: ssh

...to date, all known occurrences have involved Centos 4.3 servers; makes no difference whether client is RHEL WS 4.3, Centos 4.3 or FC 5 or WinDoze. Makes no difference if terminal emulator is Gnome's stock issue or Konsole or Putty. Not sure about SecureCRT. Sometimes one can break loose the logjam; if so: . terminal prompts are stacked left to right vs. vertically . keyboard input is not echo'd . in this event, terminal clear/reset doesn't end if so. Any thoughts? rgds/ldv [vaden at mx1 ~]$ ps auxw | grep -i pts/0 vaden 2475 0.0 0.1 37444 3064 ? S 04:53 0:00 ssh...

Greetings, Given the weakness with Diffie-Hellman modp groups less than 2048, is it time to bump the suggested 1024 bit minimum value from the RFC 4419 to a more current 2048 value for OpenSSH 7.0? If so, should this be just a compile-time change, or should there be a new client and server runtime option? Thanks, -- Mark

Hi, I have compatibility issues with the latest version of openssh-server and an old dropbear client, the dopbear client stops at preauth ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version 2.0; client software version dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string

...auth] > > > > Can you help? > > That ~13-year-old version of dbclient only has weak key exchange methods - > diffie-hellman-group1-sha1, "OpenSSH supports this method, but does not > enable it by default because is weak and within theoretical range of the > so-called Logjam attack" and diffie-hellman-group1-dss, disabled by default > in OpenSSH in 2015. > > Also only weak CBC-mode ciphers, disabled by default in 2014. > > The right answer is to run a newer client. > > If there's no way to do that, least worst is probably to connect to &gt...

...less), which works. I would hazard a guess that this is the change causing your problem. * Fri Jun 26 2015 Tomas Mraz <tmraz at redhat.com> 0.9.8e-36 - also change the default DH parameters in s_server to 1024 bits Here's some more info, https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ RH must have backported this fix to 0.9.8e. There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you're most likely on your own. I'm quite ignorant of mysql...

...affected; most are, and all new ones appear to be. It's hard to pin down the general area of the fault because of the intermittent nature of successful print jobs. I think it's not account related because sometimes a given account can successfully print. Just now something cleared the logjam and everyone can print. But the problem will undoubtably recurr. _____________________________________________________________ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com