You're entirely misunderstanding logjam. The actual logjam attack refers to a flaw in the tls protocol that would allow mitm attackers to downgrade a connection to an export cipher. This is only possible if your server supports export-grade ciphers, which it should not if you're following mozillas guide.
Using a 1024 bit dh param does not "open you" to any attack. According to the authors of the freak/logjam disclosure, use of a common 1024 bit dh param potentially allows for threats from nation-state adversaries. If you've pissed off the NSA, forget about legacy comparability with java nonsense and use a custom 2048 (or higher) param. If you're paranoid about supporting grandmas java app, stick with the default. On May 23, 2015, at 8:39, Grant <emailgr...@gmail.com> wrote: >>> I'm using Mozilla's "Old backward compatibility" ssl_ciphers so I feel >>> good about my compatibility there, but does the following open me up >>> to potential compatibility problems: >>> >>> # openssl dhparam -out dhparams.pem 2048 >> >> >> DHE params larger than 1024 bits are not compatible with java 6/7 clients. >> If you need compatibility with those clients, use a DHE of 1024 bits, or >> disable DHE entirely. > > > My server is open to the internet so I'd like to maintain > compatibility with as many clients as possible, but I don't serve any > java apps. Given that, will DHE params larger than 1024 bits affect > my compatibility? > > If so, I believe a DHE of 1024 bits opens me to the LogJam attack, so > if I disable DHE entirely will that affect my compatibility? > > - Grant > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
