Fix for "Logjam" vulnerability is deployed; requires rebuild


(Kane York) #1

Vulnerability info: https://weakdh.org/

One of the main parts of the vulnerability is that anyone sharing DHE parameters across a wide range of servers would be open to passive spying on the SSL connections after a significant, but one-time, investment.

If you are using self-hosted Discourse with SSL without any extra proxies in front:

To remedy this, Discourse will now generate unique DHE parameters the first time you bootstrap the app with SSL enabled. To fix:

cd /var/discourse
./launcher rebuild app

If you are using discourse.org hosting:

All discourse.org servers are already using a 2048-bit Diffie-Hellman group. No further action is required.

If you are hosting multiple websites on the same machine as Discourse:

Run these commands:

# Or pick a different directory
$ mkdir -p /var/www/keys
$ chmod 750 /var/www/keys
$ openssl dhparam -out /var/www/keys/dhparams.pem 2048
$ chown www-data:www-data /var/www/keys
$ sudoedit /etc/nginx/ngnix.conf

        ##
        # SSL Settings
        ##

        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;

 ###    # Add this line
        ssl_dhparam /var/www/keys/dhparams.pem; 
 ###    #


(Erick Guan) #2

seems no common here.


(Kane York) #3

lol whoops I copied the wrong place and then I edited the wrong post