OFTP2 information

From OS4X
Revision as of 14:07, 4 April 2016 by Admin (talk | contribs) (New page: == Logjam == When communicating with an OFTP2 TLS server which is not offering a secure Diffie-Hellman key exchange, the following log message will occure if you are using an actual OS4X v...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Logjam

When communicating with an OFTP2 TLS server which is not offering a secure Diffie-Hellman key exchange, the following log message will occure if you are using an actual OS4X version:

Google ChromeScreenSnapz111.png

Why does this happen after updating to a recent version of OS4X?

The situation has been rised since May 2015, when the Logjam attack became public. As a result, the minimum requirement for Diffie-Hellman keys in the TLS handshake has been rised to 768bits (valid until end-2015) up to 1024bits (since Janiuary 2016).

We are very keen about our objective to transmit files securely over the internet, and we cannot leave security behind just for cosmetic reasons. We live online security, so we want that our customers profit from a secure communication product.

In real-life situation, what is happening here?

Solutions

There are several ways to overcome this situation:

Best solution: your communication partner offers a Diffie-Hellman key in the TLS handshake of appropriate size, actually more than 1024bits.

If the remote server uses a Diffie-Hellman key of at least 1024bits in size, you're actually safe and your communication cannot be decrypted as it is possible with a smaller key size. Perhaps the minimum value will rise in the future, so it's best to ask your partner for 1024bit and 2048bit DH keys.


Your communication partner offers a TLS cipher with Elliptic Curve Diffie-Hellman key exchange, which is not affected by this situation

On your own risk: you disable all ciphers using Diffie-Hellman key exchange

Use this option by activating the configuration parameter "Configuration" -> "TLS" -> "Allow insecure downgrade of TLS cipher". You will be asked for the CVE number of the Logjam attack, so you need to learn about this situation in order to better decide if this solution is what you want.


Technical background

External links