A semi-OT public-service announcement for Alaskan geeks, since this is
the largest forum I'm aware of that contains them. :) It will also
directly impact any Linux users trying to get to certain web sites,
including some Alaskan ones. I've been doing some research into SSL
and TLS recently, so I thought I could provide a heads-up.
Today's OpenSSL annoucement here:
https://www.openssl.org/news/secadv_20150611.txt
... says:
"OpenSSL has added protection for TLS clients by rejecting handshakes
with DH parameters shorter than 768 bits. This limit will be increased
to 1024 bits in a future release."
This is in response to the recently publicized Logjam vulnerability:
As these new OpenSSL patches ripple across the Internet, TLS to the
following Alaska-affiliated web sites may be affected, because they
are using 512-bit DH parameters:
akaerospace.com
akalpinelodge.com
alaskanmalamute.org
cityofbarrow.org
cityofsitka.com
denalitek.com
g2const.com
kbrw.org
rt.rbcak.org
web.akalpinelodge.com
yakandyetialaska.com
The list of sites using 768-bit is quite a bit larger, and while
they're not currently affected by the OpenSSL patches, their days are
numbered. Action in advance is likely called for. They are as
follows:
511ride.alaska.gov
afsy-swvmm1.asrcfederal.com
akdesktops.bannerhealth.com
calendars.k12northstar.org
climate.iarc.uaf.edu
eingang.uui-alaska.com
filter.ideafamilies.org
follett.nsbsd.org
mail.k12northstar.org
mobility.alaskaheart.com
msggw1.asrc.com
n-central.structured.com
nwc-vueadmin.users.nome.uaf.edu
p6.aicllc.com
ps.ideafamilies.org
ps.jsd.k12.ak.us
ps.juneauschools.org
ps.nwarctic.org
pw.matsuk12.us
pwr.asrc.com
pwr.asrcfederal.com
pwr.iaminupiaq.com
remote.alaskaheart.com
school.kgbsd.org
smg2.asrcfederal.com
smtp.ideafamilies.org
solarwindsvm.asrcfederal.com
spam1.asrcfederal.com
sslvpn.hccontractors.net
sslvpn.kakivik.com
support.matsuk12.us
tempo.arcticslope.org
vdi.dol.alaska.gov
webmail.k12northstar.org
webvac.muni.org
xtr.correct.state.ak.us
zimbra.k12northstar.org
zmail.k12northstar.org
Even those sites running at 1024 bit are affected (though only by
attackers at the nation-state level, as I understand it). That list
of hostnames is even longer, and I will defer publishing that for now
in the interest of brevity. :)
If you are an admin for one of these sites, please go to the Qualys
SSL Labs server tester to test your site to confirm the weak DH
parameters, and find tips on how to address the issue:
https://www.ssllabs.com/ssltest/
If you aren't the admin for one of these sites but you know who is,
please forward this message accordingly.
I've worked with the Qualys results quite a bit, and have also tweaked
the SSL/TLS parameters in Windows and Linux/Apache land, so if you (or
they) have any questions, feel free to ping me.
As a side note, be aware that the OpenSSL team will stop supporting
the 0.9.8 and 1.0.0 branches of OpenSSL after December 2015. There's
probably a lot of embedded Linux, Linux VPSes, and Linux-based
appliances out there using these flavors of OpenSSL, so you should
probably start hunting for them now.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jun 11 18:22:08 2015
This archive was generated by hypermail 2.1.8 : Thu Jun 11 2015 - 18:22:08 AKDT