Comments on How to protect your Debian or Ubuntu Server against the Logjam attack

In Debian 8, after add the line

and restart apache, I got 

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a mod...ration

So I commented out and could restart apache. 

In line:

potconf -e "smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem"

after restartibg pureftp:

Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/TLSCipherSuite: No corresponding directive

i had no file TLSCipherSuite there, so what is the complete content of this file?

Which Debian or Ubuntu version do you use?

This is in my case the same with Ubuntu 14.04.01 LTS as well as Debian Wheezy. This on two different servers with both pure-ftp version 1.0.36 installed.

The tutoral has been updated to solve this, see my comment from 2015-05-21 08:40:23, please redo the pure-ftpd part to fix this on your server.

Its great that you raise awareness for this issue. A few notes:

1) Error on the second postfix command, "potconf".

2) The SSLOpenSSLConfCmd needs OpenSSL 1.0.2, Jessie uses 1.0.1k at the moment.

Thanks for the hint! I've added a note on the openssl version to the guide.

Thx. for the great summary on this issue. :)

Winni Neessen has provided a small patching allowing to fix this issue for Apache versions 2.2.xx, too.

Based on this patch I've recompiled the current Apache 2.2.22 sources of Debian Wheezy for i386 and amd64 machines:

https://flo.sh/debian-wheezy-apache2-logjam-fix/

Just in case someone is looking for a quick fix for Debian Wheezy until the security team has published an offical fix for this issue.

-Flo

Thanks for this great howto!

There is a little typing error on the second postconf command. It should be postconf instead of potconf.

Best regards.

Thanks to everyone for pointing out the typo with the postconf command, I corrected that now in the tutorial.

exactly under debian7 with apache 2.2.22 this does not work

You can only set the secure cipher suites with apache 2.2, thats explained in the guide, this provides already some protection against the attack. The additional protection with the DH group requires  apache version > 2.4.8 and OpenSSL > 1.0.2.

I get the same error on Ubuntu 14.04.2 LTS.  The '/etc/pure-ftpd/conf' dir has the following files:

AltLog

BrokenClientsCompatibility

ChrootEveryone

DisplayDotFiles

DontResolve

FSCharset

MinUID

MySQLConfigFile

NoAnonymous

PAMAuthentication

PureDB

TLS

UnixAuthentication

The pure-ftpd version is 1.0.36-1.1.

Thanks for pointing that out. I had added the TLSCipherSuite option on my servers last year already as protection against the poodle attack, so I did not notice that it is still missing in the regular Debian and Ubuntu packages. I've added instructions to the tutorial on how to add support for cipher suites in the pure-ftpd wrapper script.

thx a lot :-)

For nginx the line for the ssl_dhparam should end with a semicolon:

On nginx, do I need to update OpenSSL to 1.02 at the first place ?

My OS is Debian Jessie.

Hi,

I do a test on www.ssllabs.com/ssltest/ (provide by weakdh.org) after this tuto.

My ratting was B because Diffie-Hellman (DH) key exchange is still enabled.

"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B"

So i added ":!DH" on the ssl_cipher_list to disable it, my ratting is A now !

For Debain 7 the config dont work...

---------------cut--------------------

yntax error on line 76 of /etc/apache2/mods-enabled/ssl.conf:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

Action 'configtest' failed.

The Apache error log may have more information.

 failed!

-----------------------cut---------------------------

The config works fine for Debian 7, you just added a command that the tutorial tells you not to add on Debian 7 as the apache version is too old. Please read the apache config section again, it explains which commands shall be added for which apache version.

same as me on debian 7, 

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

Action 'configtest' failed.

The Apache error log may have more information.

 failed!

--------------------------------------------

here is my apache2 version after upgrade version

root@ismconfig:~# apache2 -v

Server version: Apache/2.2.22 (Debian)

Server built:   May 21 2015 00:57:22

--------------------------------------------

root@ispconfig:~# openssl version

OpenSSL 1.0.1e 11 Feb 2013

Take a look at the versions you posted: your apache version is "2.2.22" but the SSLOpenSSLConfCmd command requires  2.4.8 or newer. Same for the openssl version.

The tutorial clearly tells you to NOT add the command on Debian 7 as the apache version in Debian 7 is too is too old. As described in the above tutorial, you shall add only the lines "SSLProtocol", "SSLCipherSuite" and "SSLHonorCipherOrder" but NOT "SSLOpenSSLConfCmd" in your apache version.

So the fix is to edit the apache ssl config file again, remove the line "SSLOpenSSLConfCmd" and restart apache.

I haver already something in the /etc/pure-ftpd/conf/TLSCipherSuite file:

HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

i added the rest like this:

HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3:ECDHE-RSA-AES128-GCM-SHA256:[and the rest of this long line]

 the first part was from a fix against some exploit, should i leave it?

From the tutorial "When the file exists already and contains some ciphers, then replace the ciphers with the ones above.". :)

After this update  TLS over FTP gets timeout !!!

Status:    Initializing TLS...Status:    Verifying certificate...Status:    TLS connection established.Command:    USER *********Response:    331 User ****** OK. Password requiredCommand:    PASS **********Response:    230 OK. Current restricted directory is /Command:    OPTS UTF8 ONResponse:    200 OK, UTF-8 enabledCommand:    PBSZ 0Response:    200 PBSZ=0Command:    PROT PResponse:    200 Data protection level set to "private"Status:    ConnectedStatus:    Retrieving directory listing of "/web"...Command:    CWD /webResponse:    250 OK. Current directory is /webCommand:    TYPE IResponse:    200 TYPE is now 8-bit binaryCommand:    PASVResponse:    227 Entering Passive Mode (.............,49,156)Command:    MLSDError:    Connection timed out after 20 seconds of inactivityError:    Failed to retrieve directory listing

How about to check logs? When I set this for myself it seems working properly.

Hi, thanks for the guide. 

I got the same versions of apache and openssl as you do ...  as I get it right, we are not fully protected until we will upgrade OpenSSL and Apache versions? On the https://www.ssllabs.com/ssltest/ my server is capped down to B, because of DH and on https://weakdh.org/sysadmin.html I got message that ! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.

hai, thanks, worked for me..

in addittion. have a look here..

https://flo.sh/debian-wheezy-apache2-logjam-fix/

a patched debian wheezy apache2.2, which allows to set to dh3072

Pure-FTPd has never been vulnerable to logjam. DH was not supported until 1.0.36, and in more recent releases, it either uses ECDH, or the RFC3526 2048-bit prime, or the supplied parameters, which the documentation recommends to be 2048-bit as well.

For safety reasons, I have my encryption settings configured in apache like this:

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

It is say that only are allowed, encrypted major superiors or equal 256.

Would not it be better to just leave high active level encrypted and deny encrypted as shown below?

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Since last updates for ubuntu 12.04 LTS this apache version 2.2.22 is able to read alternative DHparams appended to certificate .pem-files. If you don't want to append it to every vhost certficate, you can do this also if you append the DHparams to the SSLCertificateFile configured in default-ssl. The new params are also loaded if this site isn't enabled. We've tested this with https://weakdh.org/sysadmin.html and https://www.ssllabs.com/ssltest/

In addition to my last comment (it is not yet activated)...

If you follow this tutorial, you can also activate the new DHparams if you add the line

SSLCertificateFile /etc/ssl/private/dhparams.pem

to the file /etc/apache2/mods-available/ssl.conf and reload the apache2 service.

Should I create a httpd section in /etc/nginx/nginx.conf?

In my nginx.conf there is only http section.

Debian 7

apache2 -vServer version: Apache/2.2.22 (Debian)Server built:   Dec 23 2014 22:48:29

openssl versionOpenSSL 1.0.1e 11 Feb 2013

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

That's the expected output. As the tutorial states, you should add the command when your apache version is > 2.4.8 and OpenSSL > 1.0.2 and on your server, both versions are lower then the required minimum versions for this command, so you should not have added that line on your server.

Ok so I made the changes to Apache2, Dovecot and Postfix as per the instructions, now I can't connect to ISPCONFIG via https://xxx.xxx.x.xxx:8080

Centos7 ?

I can't say say how I thnak ypu , After  Itest my site cetificae on www.ssllabs.com I got B first time with "Weak key exchange" error . but after I follow your well writen tutorial I'm able to got A grade . that's great .

I've followed this tutorial on Debian 7, and I get the following error:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

However, I upgraded Apache2 to 2.4.10 and OpenSSL to 1.0.2. So I don't know why I should still receive this error?

Hi Till,

i'm very new to debian and i followed your great tutorial The Perfekt Server - Debian 8.4 on my Debian 8.6 OS.

All things go fine und it works perfect. Now my question: it is necessary to add further safety aspects e.g. according to this tutorial? What further instructions can you recommend?

Thanks for your help!

Hi, is this tutorial still actual due to current /etc/apache2/mods-available/ssl.conf/ssl.conf settings which include

#SSL v2 is no longer supported