From d852d63431a2c7a04aea81b17ce02f13c58e2ded Mon Sep 17 00:00:00 2001 From: TJ Saunders Date: Thu, 21 May 2015 19:09:56 -0700 Subject: [PATCH] Bug#4184 - Remove support for "weak" Diffie-Hellman groups. --- contrib/mod_tls.c | 31 +++++++++++++++++++++++++++++++ doc/contrib/mod_tls.html | 14 ++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c index 88896cbd63..97e209ea49 100644 --- a/contrib/mod_tls.c +++ b/contrib/mod_tls.c @@ -421,6 +421,13 @@ static int tls_required_on_ctrl = 0; static int tls_required_on_data = 0; static unsigned char *tls_authenticated = NULL; +/* Define the minimum DH group length we allow (unless the AllowWeakDH + * TLSOption is used). Ideally this would be 2048, per https://weakdh.org, + * but for compatibility with older Java versions, which only support up to + * 1024, we'll use 1024. For now. + */ +#define TLS_DH_MIN_LEN 1024 + /* mod_tls session flags */ #define TLS_SESS_ON_CTRL 0x0001 #define TLS_SESS_ON_DATA 0x0002 @@ -449,6 +456,7 @@ static unsigned char *tls_authenticated = NULL; #define TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS 0x0400 #define TLS_OPT_VERIFY_CERT_CN 0x0800 #define TLS_OPT_NO_AUTO_ECDH 0x1000 +#define TLS_OPT_ALLOW_WEAK_DH 0x2000 /* mod_tls SSCN modes */ #define TLS_SSCN_MODE_SERVER 0 @@ -2473,6 +2481,17 @@ static DH *tls_dh_cb(SSL *ssl, int is_export, int keylen) { if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA || EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { pkeylen = EVP_PKEY_bits(pkey); + + if (pkeylen < TLS_DH_MIN_LEN) { + if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) { + pr_trace_msg(trace_channel, 11, + "certificate private key length %d less than %d bits, using %d " + "(see AllowWeakDH TLSOption)", pkeylen, TLS_DH_MIN_LEN, + TLS_DH_MIN_LEN); + pkeylen = TLS_DH_MIN_LEN; + } + } + if (pkeylen != keylen) { pr_trace_msg(trace_channel, 13, "adjusted DH parameter length from %d to %d bits", keylen, pkeylen); @@ -2524,6 +2543,15 @@ static DH *tls_dh_cb(SSL *ssl, int is_export, int keylen) { /* Still no DH parameters found? Use the built-in ones. */ + if (keylen < TLS_DH_MIN_LEN) { + if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) { + pr_trace_msg(trace_channel, 11, + "requested key length %d less than %d bits, using %d " + "(see AllowWeakDH TLSOption)", keylen, TLS_DH_MIN_LEN, TLS_DH_MIN_LEN); + keylen = TLS_DH_MIN_LEN; + } + } + switch (keylen) { case 512: dh = get_dh512(); @@ -8941,6 +8969,9 @@ MODRET set_tlsoptions(cmd_rec *cmd) { } else if (strcmp(cmd->argv[i], "AllowPerUser") == 0) { opts |= TLS_OPT_ALLOW_PER_USER; + } else if (strcmp(cmd->argv[i], "AllowWeakDH") == 0) { + opts |= TLS_OPT_ALLOW_WEAK_DH; + } else if (strcmp(cmd->argv[i], "AllowClientRenegotiation") == 0 || strcmp(cmd->argv[i], "AllowClientRenegotiations") == 0) { opts |= TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS; diff --git a/doc/contrib/mod_tls.html b/doc/contrib/mod_tls.html index a1c41fd46a..61c5e84c79 100644 --- a/doc/contrib/mod_tls.html +++ b/doc/contrib/mod_tls.html @@ -814,6 +814,20 @@

TLSOptions

TLSRequired auth+data configurations will override the AllowPerUser option. +

+

  • AllowWeakDH
    +

    + The mod_tls will not use Diffie-Hellman groups of less + than 1024 bits, due to weaknesses + that can downgrade the security of an SSL/TLS session. If for any reason + your FTPS clients require smaller Diffie-Hellman groups, then + use this option. + +

    + Note that this option first appeared in + proftpd-1.3.6rc1. +

    • +

  • CommonNameRequired