New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure DH parameters selected by default #12060
Labels
issue: bug report
The issue was opened to report a bug
Comments
The defaults returned by ssl_get_auto_dh() seem to be:
DH_get_1024_160()
DH_get_2048_224()
BN_get_rfc3526_prime_3072()
BN_get_rfc3526_prime_8192()
It should be easy to switch them to the FFDHE versions. That
doesn't have a 1024 bit version, but I think we should just drop
that.
We might also want to consider deprecating some of those curves.
Kurt
|
there's BN_get_rfc2409_prime_1024() that does use a safe prime |
For some reason I thought we didn't allow DHE keys of 1024 bit
anymore, but it seems that 1024 is the minimum we accept at any
security level.
|
2 tasks
ok, sketched-out something in #12061 |
2 tasks
Backport to 1.1.1 branch is in #12160 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using openssl s_server with RSA keys that are 1024 bit or 2048 bit long OpenSSL will select DH parameters from RFC 5114, a.k.a group 22 and group 23 for IKE.
Those parameters do not use a safe primes, they do have small subgroups, see also https://jhalderm.com/pub/papers/subgroup-ndss16.pdf
This affects both current 1.1.1 (8354f53) and master (c7f837c)
Reproducer:
tlsfuzzer output:
Using a larger RSA key, like 3072, will cause OpenSSL to select the secure RFC 3526 group 15 parameters.
(side note: it's possible to specify expected parameters using the
--named-ffdh
, e.g.:PYTHONPATH=. python scripts/test-ffdhe-expected-params.py --named-ffdh "RFC3526 group 15"
)The text was updated successfully, but these errors were encountered: