Insecure DH parameters selected by default

[tomato42]

When using openssl s_server with RSA keys that are 1024 bit or 2048 bit long OpenSSL will select DH parameters from RFC 5114, a.k.a group 22 and group 23 for IKE.

Those parameters do not use a safe primes, they do have small subgroups, see also https://jhalderm.com/pub/papers/subgroup-ndss16.pdf

This affects both current 1.1.1 (8354f53) and master (c7f837c)

Reproducer:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"
openssl s_server -key key.pem -cert cert.pem -www &> openssl.err &
openssl_pid=$!
git clone https://github.com/tomato42/tlsfuzzer
pushd tlsfuzzer
git checkout ffdh-param-matching  # won't be needed after https://github.com/tomato42/tlsfuzzer/pull/668 is merged
git clone https://github.com/tomato42/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
PYTHONPATH=. python scripts/test-ffdhe-expected-params.py
popd
kill $openssl_pid

tlsfuzzer output:

sanity ...
OK

FFDH parameters check ...
Error encountered while processing node <tlsfuzzer.expect.ExpectServerKeyExchange object at 0x7f68949a6e10> (child: <tlsfuzzer.expect.ExpectServerHelloDone object at 0x7f68949a6e50>) with last message being: <tlslite.messages.Message object at 0x7f68949acc90>
Error while processing
Traceback (most recent call last):
  File "scripts/test-ffdhe-expected-params.py", line 217, in main
    runner.run()
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
    node.process(self.state, msg)
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1147, in process
    self._checkParams(server_key_exchange)
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1084, in _checkParams
    "received: {0}".format(name))
AssertionError: DH parameters not from valid set, received: RFC5114 group 23

sanity ...
OK

Test to check if server selects the expected DH parameters
See tlslite.mathtls.FFDHE_PARAMETERS for supported names

Test end
====================
version: 1
====================
TOTAL: 3
SKIP: 0
PASS: 2
XFAIL: 0
FAIL: 1
XPASS: 0
====================
FAILED:
        'FFDH parameters check'

Using a larger RSA key, like 3072, will cause OpenSSL to select the secure RFC 3526 group 15 parameters.

(side note: it's possible to specify expected parameters using the --named-ffdh, e.g.: PYTHONPATH=. python scripts/test-ffdhe-expected-params.py --named-ffdh "RFC3526 group 15")

[kroeckx]

The defaults returned by ssl_get_auto_dh() seem to be: DH_get_1024_160() DH_get_2048_224() BN_get_rfc3526_prime_3072() BN_get_rfc3526_prime_8192() It should be easy to switch them to the FFDHE versions. That doesn't have a 1024 bit version, but I think we should just drop that. We might also want to consider deprecating some of those curves. Kurt

[tomato42]

there's BN_get_rfc2409_prime_1024() that does use a safe prime
and of course there's BN_get_rfc3526_prime_2048()

[kroeckx]

For some reason I thought we didn't allow DHE keys of 1024 bit anymore, but it seems that 1024 is the minimum we accept at any security level.

[tomato42]

ok, sketched-out something in #12061

[tomato42]

Backport to 1.1.1 branch is in #12160