SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Openfire Openfire Support
1

I get this vulnerability when scanning via Nessus.

Vulnerable connection combinations on port 5223/tcp/jabber:

SSL/TLS version : TLSv1.1 Cipher suite : TLS1_CK_DHE_DSS_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version : TLSv1.1 Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version : TLSv1.1 Cipher suite : TLS1_CK_DHE_DSS_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard (would require nation-state resources) SSL/TLS version : TLSv1.0 Cipher suite : TLS1_CK_DHE_DSS_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard (would require nation-state resources) SSL/TLS version : TLSv1.0 Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard (would require nation-state resources) SSL/TLS version : TLSv1.0 Cipher suite : TLS1_CK_DHE_DSS_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack. Logjam attack difficulty : Hard (would require nation-state resources)

I don’t have these ciphers enabled under client connections, encrypted connection legacy mode for client, advanced. I have TLS1.0, TLS1.1 and TLS1.2 enabled.

1019×287 15.4 KB

1436×448 31.4 KB

Any help would be appreciated.

Thank you.

2

Hmm, that might be a bug in Openfire then. When you don’t have them enabled, your scanner should not pick them up. :confused:

When all else fails, you might want to work around this problem by disabling those ciphers on the Java level. Openfire takes the ciphers provided by Java and the BouncyCastle provider, and lets you configure those. By not making them available to Openfire in the first place, they cannot be used. Have a look here: JSSE Reference Guide