A 2015 TLS vulnerability (CVE-2015-4000) that lets attackers downgrade connections to weak Diffie-Hellman parameters and recover the session key.

Is LOGJAM a current threat?

On modern servers no, but unmaintained servers occasionally still negotiate weak DH. The fix takes minutes; the verification is free.

How do I generate strong DH parameters?

Use openssl: `openssl dhparam -out dhparams.pem 2048`. Generation is slow (minutes) but you only do it once per deploy. Reference the file in your server TLS config.

Do I need DH if I have ECDHE?

Not strictly. ECDHE provides forward secrecy without classic DH. Modern setups can disable DHE entirely and use ECDHE-only cipher suites for cleaner config.

Does this affect SEO?

Not directly. It is security hygiene — strengthening TLS without any SEO trade-off.

TLS Logjam Signal Test

The TLS LOGJAM Test checks whether your server is vulnerable to the LOGJAM attack (CVE-2015-4000) by accepting weak Diffie-Hellman parameters (1024-bit or smaller) in the TLS handshake. LOGJAM lets attackers downgrade connections to weak DH and recover the session key. Like FREAK, LOGJAM is a 2015 vulnerability that should be disabled on every modern server — but legacy or unmaintained installs occasionally still negotiate weak DH parameters.

What This Tool Checks

Server response to weak DH cipher offer
Diffie-Hellman parameter strength (target: 2048-bit minimum)
Cipher suite selection
TLS protocol version negotiated
Forward secrecy availability

Why It Matters for SEO

LOGJAM affects servers that accept export-grade Diffie-Hellman key exchange. Modern best practice uses 2048-bit DH parameters at minimum (or skips classic DH entirely in favour of Elliptic Curve Diffie-Hellman). Servers still on 1024-bit DH from a 2014-era config are technically vulnerable to nation-state-level attackers and trivially fail modern security audits.

How to Fix It

Generate fresh DH parameters at 2048 bits or higher. Disable EXPORT cipher suites entirely. Prefer ECDHE over DHE in the cipher order. Use the Mozilla SSL Configuration Generator for a known-good baseline. Re-test until the server refuses any weak DH offer.

How It Works

We open a TLS handshake offering weak DH-EXPORT cipher suites. A vulnerable server negotiates with weak DH parameters; a properly configured server refuses with a handshake failure. We also report the bit-strength of any DH parameters the server uses for legitimate suites.

Common Mistakes to Avoid

Default DH parameters from 2014 (1024-bit) still in use
Custom cipher list including DHE-EXPORT suites
Out-of-date OpenSSL with weak DH defaults
No ECDHE support, forcing weak classic DH
Skipping LOGJAM verification because "it is old news"

Quick Checklist

No weak DH-EXPORT ciphers accepted
2048-bit DH parameters minimum
ECDHE preferred over classic DHE
Modern Mozilla cipher list applied
Re-tested after server upgrades

TLS Logjam Signal Test

What This Tool Checks

Why It Matters for SEO

How to Fix It

How It Works

Common Mistakes to Avoid

Quick Checklist

Frequently Asked Questions

Related Free Tools

About PositionMySite

Services

Let's Connect