diff options
| author | Julien Vehent <julien@linuxwall.info> | 2015-05-20 19:49:13 -0400 |
|---|---|---|
| committer | Julien Vehent <julien@linuxwall.info> | 2015-05-20 19:49:13 -0400 |
| commit | 6e348b8f320175e96df94e974ee3f3fdf5a07209 (patch) | |
| tree | 94e9cc06d1c11727e11aec47e0b68a373f795226 /Server_Side_TLS.mediawiki | |
| parent | f621f2fb7c588a5e5156b6117f9b4eab898ac194 (diff) | |
| download | server-side-tls-6e348b8f320175e96df94e974ee3f3fdf5a07209.zip server-side-tls-6e348b8f320175e96df94e974ee3f3fdf5a07209.tar.gz server-side-tls-6e348b8f320175e96df94e974ee3f3fdf5a07209.tar.bz2 | |
update phrasing on weakdh issue
Diffstat (limited to 'Server_Side_TLS.mediawiki')
| -rw-r--r-- | Server_Side_TLS.mediawiki | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/Server_Side_TLS.mediawiki b/Server_Side_TLS.mediawiki index dc7db0c..da01ee0 100644 --- a/Server_Side_TLS.mediawiki +++ b/Server_Side_TLS.mediawiki @@ -10,6 +10,7 @@ The Operations Security (OpSec) team maintains this document as a reference guid ! Document Status !! Major Versions |- | <span style="color:green;">'''READY'''</span> || +* Version 3.5: alm: comment on weakdh vulnerability * Version 3.4: ulfr: added note about session resumption, HSTS and HPKP * Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates * Version 3.2: ulfr: Added intermediate compatibility mode, renamed other modes @@ -877,9 +878,9 @@ Daniel Stenberg (Mozilla, cUrl) has a good description of the exploitability of Our guidelines maintain support for SSLv3 in the Old configuration only. This is required for clients on Windows XP service pack 1 & 2 that do not have support for TLSv1.0. Internet Explorer and Chrome on those platforms are impacted. Mozilla wants to be reachable from very old clients, to allow them to download a better browser. Therefore, we maintain SSLv3 compatibility on a limited number of sites. But all sites that do not need that level of compatibility are encouraged to implement the Intermediate configuration -=== Logjam attack === +=== Logjam attack on weak Diffie-Hellman === -The Logjam attack describes methods of attacking TLS servers supporting DHE export ciphers, and with weak (< 1024 bit) Diffie Hellman groups. Modern TLS servers should not include these configurations. The recommendations in this guide provide configurations that are not impacted by this. +The Logjam attack describes methods of attacking TLS servers supporting DHE export ciphers, and with weak (<= 1024 bit) Diffie Hellman groups. Modern TLS must use DH parameters of 2048 bits and above, or only use ECDHE. The modern configuration in this guide provide configurations that are not impacted by this issue. The intermediate and old configurations are impacted, and administrators are encourage to use DH parameters of 2048 bits wherever possible. more: https://weakdh.org |