On Thu, May 28, 2015 at 12:21:42PM +0200, A. Schulze wrote:
> >When the server is authenticated, it is not going to send weak DH
> >keys with strong ciphers.
>
> why?
Authenticated servers don't go out of their way to present artificially
weak keys. If they relly want to disclose the session content,
they can disable DH, and publish their RSA keys, ...
The logjam attack replays signed DH parameters from a session that
negotiates an export ciphersuite. Once export ciphers are disabled,
the server will no longer be vulnerable, because the MiTM will no
longer be able to obtain signatures for weak DH parameters with
the right "client random" value.
--
Viktor.
