EldoS | Feel safer!

Software components for data protection, secure storage and transfer

LogJam Reactions

Posted: 05/29/2015 06:04:39
by ITSG (Standard support level)
Joined: 06/27/2013
Posts: 34

Hi there,

just got a ticket in, to investigate if our FTPS Servers are vulnerable to the new LogJam issues.
After a quick read, i think disableing CipherSuites 28 and 29 (DHE_RSA_AES128,DHE_RSA_AES256) should do the job.
Do i miss something ?

Here are the ciphers, we are using right now:

Server.set_CipherSuites(86, true); //ECDH_ECDSA_AES128
Server.set_CipherSuites(87, true); //ECDH_ECDSA_AES256
Server.set_CipherSuites(96, true); //ECDH_RSA_AES128
Server.set_CipherSuites(97, true); //ECDH_RSA_AES256
Server.set_CipherSuites(16, true); //DH_DSS_AES128
Server.set_CipherSuites(17, true); //DH_DSS_AES256
Server.set_CipherSuites(20, true); //DH_RSA_AES128
Server.set_CipherSuites(21, true); //DH_RSA_AES256
Server.set_CipherSuites(91, true); //ECDHE_ECDSA_AES128
Server.set_CipherSuites(92, true); //ECDHE_ECDSA_AES256
Server.set_CipherSuites(101, true); //ECDHE_RSA_AES128
Server.set_CipherSuites(102, true); //ECDHE_RSA_AES256
Server.set_CipherSuites(24, true); //DHE_DSS_AES128
Server.set_CipherSuites(25, true); //DHE_DSS_AES256
Server.set_CipherSuites(28, true); //DHE_RSA_AES128
Server.set_CipherSuites(29, true); //DHE_RSA_AES256
Server.set_CipherSuites(58, true); //ECDHE_PSK_AES128
Server.set_CipherSuites(59, true); //ECDHE_PSK_AES256
Server.set_CipherSuites(62, true); //DHE_PSK_AES128
Server.set_CipherSuites(63, true); //DHE_PSK_AES256
Server.set_CipherSuites(66, true); //RSA_PSK_AES128
Server.set_CipherSuites(67, true); //RSA_PSK_AES256

Do we need a security upgrade for SBB ?
Any advice for the sFTP Server we are also running ?

Thanks for any help
Posted: 05/29/2015 06:29:48
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

In general you should not use all SB_SUITE_DH_*_EXPORT and SB_SUITE_DHE_*_EXPORT ciphersuites listed here: https://www.eldos.com/documentation/sb...suite.html

But these weak ciphersuites are already turned off by default in our library. Also our server side SSL/TLS implementation generate 1024-bit DH parameters.

So your current configuration should not be vulnerable to this attack.

Any advice for the sFTP Server we are also running ?

The attack is for TLS protocol. SFTP is built on top of SSH, so the attack is irrelevant for SFTP.
Posted: 06/02/2015 02:01:15
by ITSG (Standard support level)
Joined: 06/27/2013
Posts: 34

Thank You for that fast response.

On the page https://weakdh.org/sysadmin.html is another advice regarding this problem:

Generate a Strong, Unique Diffie Hellman Group. A few fixed groups are used by millions of servers, which makes them an optimal target for precomputation, and potential eavesdropping. Administrators should generate unique, 2048-bit or stronger Diffie-Hellman groups using "safe" primes for each website or server.

Is there something we can Do when using the SBB or is this some other area ?

Posted: 06/02/2015 02:06:38
by Vsevolod Ievgiienko (Team)

Our code generates unique DH group for each application instance. You can increase bits count from default 1024 value by changing SBSSLServer.Unit.G_SSLDHKeyLength variable.
Posted: 06/02/2015 07:39:57
by ITSG (Standard support level)
Joined: 06/27/2013
Posts: 34

ok, cool.

Any advice, how i set the SBSSLServer.Unit.G_SSLDHKeyLength to 2048 in c# ?

In this Part:
FTPSServer_OnEstablishSecureConnection(object Sender, SBSSLServer.TElSSLServer Server) ?
Posted: 06/02/2015 07:47:37
by ITSG (Standard support level)
Joined: 06/27/2013
Posts: 34

Got it...sorry ;-)
Posted: 06/26/2015 07:24:58
by ITSG (Standard support level)
Joined: 06/27/2013
Posts: 34

It doesent seem to work.
I set the Length when creating the instance of the FTPS Server like this:
SBSSLServer.Unit.G_SSLDHKeyLength = 2048;

But after connecting, this is was i get as a trace result:

TLS 1.0 Handshake [length 0310], ServerKeyExchange
0c 00 03 0c 00 80

and with my understanding the Length is still 1024 bit:
00 80 --> 0x0080 --> 128 Byte --> 1024 Bit

Any hint on doing it right ?
Posted: 06/26/2015 08:17:36
by Ken Ivanov (Team)

Hi Martin,

Please try setting this property at the very start of your application, before the server components are created. This should help.


Posted: 02/22/2016 11:21:23
by Alexander Rennie (Basic support level)
Joined: 02/22/2016
Posts: 1

Hello there,

I have the same issue with our partner requiring a longer bit length (i.e. 2048 or more) for the Diffie-Helman key. However, I am attempting (and failing) to establish a connection using the SBSimpleSftp.TElSimpleSFTPClient object in C#. Is there an equivalent means of altering the key length for SFTP, as I believe the above event handler and property do not exist in my case.

Thank you in advance,

Posted: 02/22/2016 11:31:17
by Eugene Mayevski (Team)

Alexander, I've noticed there is no Support Access Ticket linked to your user account on EldoS site. Technical Support is provided to customers with the linked Support Access Ticket. You will find your Support Access Ticket together with all the details about how to use it in the registration e-mail that we’ve sent to you upon the purchase.

If you are evaluating the product and don't have a license yet, please let us know and then you can have support according to Basic support level. Basic support level includes answering basic technical questions that appear during product evaluation period. We also offer Premium support for a purchase from https://www.eldos.com/support/calc.php . You can use Premium Support to get higher level of assistance during your evaluation of our products.

Sincerely yours
Eugene Mayevski



Topic viewed 4452 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!