Additional menu

How to test Logjam Attack (CVE-2015-4000) and fix

How to test Logjam Attack (CVE-2015-4000) and fix

Geek Flare Blog post is sponsored by Netsparker Web Application Security Scanner.

How to fix Logjam vulnerability in Apache HTTP & Nginx web server


Logjam vulnerability is found in TLS libraries (EXPORT cipher) on 20th May 2015 by team of computer scientists at CNRS, Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research, Johns Hopkins University, University of Michigan, and the University of Pennsylvania: David Adrian, Karthikeyan Bhargavan, Zakir Durumeric,Pierrick GaudryMatthew GreenJ. Alex HaldermanNadia HeningerDrew SpringallEmmanuel ThoméLuke ValentaBenjamin VanderSloot,Eric WustrowSantiago Zanella-Beguelin, and Paul Zimmermann.

The Logjam vulnerability helps attacker (man-in-the-middle) to downgrade TLS connections to 512-bit export-grade cryptography.

This helps an attacker to read and modify any data transmitted over the network connection.

You see, this is dangerous as an attacker can read credit card or sensitive information if your application is vulnerable to Logjam. This reminds me FREAK attack.

Logjam vulnerability can be on any protocols like HTTPS, SSH, IPSec, SMTP that leverage on TLS.

As of 24th May, there are 8.4% of top 1 million domains are affected by Logjam vulnerability. Let’s take a look at below stats taken on 24th May.


Test if client (Browser) or Server (HTTPS) is vulnerable of Logjam

Client (Browser)

The easiest way to test would be to hit from the browser. If it’s safe, you will get Good news like below.


If not, you will get a warning like below.


Server (HTTPS)

You can perform a test on below URL against your website to check if it’s safe from Logjam attack.

Ex: tested against


Fix Logjam Attack Vulnerability

You can disable EXPORT cipher suits at respective web server configuration to mitigate this vulnerability.

Apache HTTP Server

Disable export cipher by adding following in SSL configuration file.

SSLCipherSuite !EXPORT

Restart Apache, and that’s all.


Add following in nginx.conf file

ssl_ciphers '!EXPORT';
#Note: - If you already have ssl_ciphers configured, you just need to add !EXPORT in existing line instead of adding new one.

You may also refer here to fix this in Sendmail, Tomcat, IIS, HAProxy, Lighthttpd, etc.

Checkout SUCURI for cloud-based web application security to add protection and improve the performance.

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder of Geek Flare. Learn more here and connect with him on Twitter.


  1. Thanks for the article.

    Just a minor correction. For Nginx, if you already have a ssl_ciphers line in your config, you can’t add in a second line. You have to add it to the line already there.

    Although I use the Intermediate compatibility suggested line located here:

    It already has the !export statement in there and I still fail the logjam test. Trying to figure out what the issue is now.

Leave a Reply

Your email address will not be published. Required fields are marked *