TLS/SSL LOGJAM attack
Description
The LOGJAM attack (CVE-2015-4000) is a man-in-the-middle vulnerability affecting SSL/TLS connections that use Diffie-Hellman key exchange. Attackers can exploit weak Diffie-Hellman parameters to downgrade connections to export-grade cryptography (512-bit keys) or compromise servers using small or commonly-used DH primes. This vulnerability is detected when a server supports DHE export cipher suites, uses DH primes smaller than 1024 bits, or implements standard DH primes of 1024 bits or less, all of which are susceptible to cryptographic attacks.
Remediation
Immediately reconfigure your SSL/TLS server to eliminate weak Diffie-Hellman configurations:
1. Disable all DHE_EXPORT cipher suites completely
2. Remove support for DH primes smaller than 2048 bits (1024-bit primes are no longer considered secure)
3. Avoid using common or standard DH primes; generate unique, strong DH parameters of at least 2048 bits
4. Consider migrating to Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) cipher suites, which provide better performance and security
For detailed server-specific configuration instructions, consult the 'Guide to Deploying Diffie-Hellman for TLS' referenced below. After making changes, verify your configuration using SSL testing tools to ensure weak DH parameters are no longer accepted.