SSL Endpoint Analysis report for secure 10.1+ EM Web Server shows LOGJAM Vulnerability for DH key length of 1024 bits (nation-state surveillance)

Document ID : KB000046138
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

SSL Endpoint Analysis report for secure 10.1 EM Web Server and higher versions shows LOGJAM Vulnerability:

The server could allow client connections that are vulnerable to the LOGJAM attack. 

A DH Param of 1024 was used which is vuln to nation-state surveillance.

 

Environment:

APM 10.1 & higher versions uses a Java 1.8 version which resolves original Logjam vulnerability, per KB article TEC1514135

Webview (HTTPS) error with Chrome/Firefox (Server has a weak ephemeral Diffie-Hellman public key)

 

Cause:

The original Logjam vulnerability was reported for smaller DH key sizes e.g. 512, 768 bits 

The Logjam vulnerability reported for Key size of 1024 bits is an extension of that to cover the fact that a nation-state can break a 1024 bit key.

For further details see: Weak Diffie-Hellman and the Logjam Attack

 

Resolution:

The latest Java 1.8 uses a DH key size of 1024 by default to overcome the original Logjam vulnerability. To overcome the 1024 bit vulnerability the EM_HOME/jre/lib/security/java.security file can be updated with this property to enforce a 2048 bit DH key size:

jdk.tls.ephemeralDHKeySize=2048

 

Additional Information:

Java Secure Socket Extension (JSSE) Reference Guide > Customizing JSSE

See "Customizing Size of Ephemeral Diffie-Hellman Keys"