Java with your LogJam?

A new SSL vulnerability know as LogJam was recently identified on May 20th 2015. Being the conscientious company we are, we immediately set about patching systems and upgrading ciphers.

After reconfiguring a bunch of cipher suites and generating a unique DH Group as instructed here. We found that clients running Java 6 failed to establish a secure connection with our servers.

Running the url on SSL Labs we see the following.

Java 6 ciphers

The reason being that Java 6 only supports DH Groups at or below 1024 bits. Java 7 will also have problems unless using ECDHE ciphers. See Mozilla Security and the OpenSSL Blog

What this basically means is if you want to patch for Logjam fully, all clients running Java 6 need to be upgraded to either 7 (with ECDHE) or 8 depending on the server and the ciphers it supports. This may be imposed on you as a client over the next month or so as servers you connect to progressively change their cipher suites.

AWS has already set this as a default for their ELBs and will be changing their DH Groups to 2048 in the near future. My suggestion is to start upgrading Java 6 clients now and begin testing all SSL clients, regardless of technology, against servers running DH Groups above 1024 bits - otherwise you may see things just stop working.

Cover photo by FutUndBeidl under the Creative Commons license