Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » LOGJAM vulnerability
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
One of the latest. https://weakdh.org

Is this an issue in Connect?
  •  
Pavel Dobry (Kerio)

Messages: 5153
Karma: 243
Send a private message to this user
No, it is not.
Kerio Connect uses 1024 and 2048-bit groups with infrequent prime number in DH. Moreover, in Kerio Connect 8.5 ECDHE is used.
You can test your server yourself: https://weakdh.org/sysadmin.html

[Updated on: Wed, 20 May 2015 18:17]


Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Good to hear! Any way to force or influence the use of 2048 rather than the 1024 bit groups?
  •  
Pavel Dobry (Kerio)

Messages: 5153
Karma: 243
Send a private message to this user
Group size is negotiated by the client, there is no option to force 2048 bit on Kerio Connect. Anyway, Kerio Connect does not use commonly used prime for 1024bit DH group so it should be much harder to crack it.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
pal

Messages: 51
Karma: 1
Send a private message to this user
Can you elaborate where to find the DH parameters to recreate them by our standards?
  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
You can set your own DH parameters in current Connect versions, but it is not recommended unless you know for sure that you can generate good ones. And yes, the method is unsupported by Kerio, and it can be bad for your health. You have been warned. Smile
If you insist on doing it, stop Connect, put 1024 bit DH parameters to C:\Program Files\Kerio\MailServer\ssldhe\dh1024.pem and 2048 bit DH parameters to C:\Program Files\Kerio\MailServer\ssldhe\dh2048.pem, set AllowEphemeralDH to 2 in mailserver.cfg, and start Connect.
  •  
pal

Messages: 51
Karma: 1
Send a private message to this user
Thanks for letting uns know, follow up question would be is there any option to omit 1024 bit DH parameters (e.g. empty file) to prevent 1024 bit DH usage?
  •  
jremme

Messages: 2
Karma: 0
Send a private message to this user
Hello,

how we can change on linux to 2048 bit DH?

Thanks

Jens
  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
If you enforce the use of 2048 bit DHE parameters, you will lose the ability to receive mail from applications running on JDK 7 and earlier, see e.g. https://tt4cs.wordpress.com/2014/04/20/dh-2048-now-supported -by-jdk8/ .

So if you do not want to use 1024 bit DHE parameters, I would rather disable Diffie-Hellman key exchange altogether. A good discussion of the tradeoffs is at http://security.stackexchange.com/questions/42812/1024-bit-d he-vs-2048-bit-rsa
  •  
jremme

Messages: 2
Karma: 0
Send a private message to this user
with the JDK is no problem for us, please can you tell me how we can switch to 2048 bit?

Thanks
Previous Topic: Hoe can I find a spammer among users of kerio connect.
Next Topic: Questions on Updating from 8.3.4 to 8.5
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Jan 22 13:17:11 CET 2017

Total time taken to generate the page: 0.01251 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.