On Tue, 3 Sep 2013 10:34:18 -0700 David Lin-Shung Huang <[email protected]> wrote:
> When using DHE cipher suites on an Apache HTTPS server, we noticed > (via Wireshark) that the DHE key size (1024 bits) is smaller than our > RSA signature key size (2048 bits nowadays). This seems to be the > default behavior, and there are no options to correctly configure the > DHE key size. > > The DHE modes are supposed to provide forward-secrecy. If a site > choses to use a 2048-bit public-key in its cert it means that it > considers a 1024-bit modulus insecure. One could make the argument > that since the DH parameters are ephemeral they could be generated > using a smaller security parameter, but that seems quite dangerous > since it will not prevent a targeted attack on a specific session. I've raised that topic last time in June. You're right and this really worries me as many people today cry "let's use PFS" (which is generally good), but this seriously threatens the security of PFS-modes. There's an experimental patch to make DH parameters configurable: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559 (I have the 2.4.x-patch running on an experimental server and it works for me) Both in the bug report and in the thread in June there was zero feedback from any of the apache devs. -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
signature.asc
Description: PGP signature
