[Ach] Thanks for the Logjam blog-post

Hanno Böck hanno at hboeck.de
Thu May 21 15:47:49 CEST 2015


On Thu, 21 May 2015 15:44:18 +0200
Axel Huebl <axel.huebl at plasma.ninja> wrote:

> server=bettercrypto.org && echo | openssl s_client -connect
> $server:443 -msg -cipher "DH" 2>/dev/null | grep -A 1
> "ServerKeyExchange" | tail -n1 | awk '{print strtonum("0x"$5$6)*8}'

if you add -servername $server it'll also work with SNI.

This is not as insignificant as it may sound. E.g. latest apache
versions try to align the DH group with the cert, so it's quite likely
that a server wil answer with different groups on different hosts. If
you have a 2048 bit rsa cert it'll use a 2048 bit group etc.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150521/8fae742a/attachment.sig>


More information about the Ach mailing list