Haproxy and weakdh/logjam Hi,
Everyone has probably heard about the recently disclosed weakdh/logjam attack [0] already. Here are a few personal thoughts on the impact on Haproxy. The weakdh issue is twofold: - if the HTTPS server is willing to accept a cipher suite using a very weak Diffie-Hellman (DH) group, like for example TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, then it is possible for an adversary in position of man-in-the-middle (MitM) to downgrade the security level of a given connection to this cipher suite, thus reducing the security to 512-bit DH ; - a nation-state adversary may be able to pre-compute all the possible values of a commonly-shared 1024-bit DH group, thus being able to decrypt all exchanges using that group. The first point depends on the cipher suite specified by the administrator with the "ssl-default-bind-ciphers" or "ciphers" parameters. I strongly encourage everyone to use the modern cipher suite described on the Mozilla wiki [1]. Please at least consider using the "Intermediate" one. In the default configuration, Haproxy uses a 1024-bit DH key generated from the second Oakley group [2] for Diffie-Hellman Ephemeral (DHE) key exchange. This group is widely used, and is likely to be the first target for pre-computation by an adversary with large enough computing capabilities. I would advise using instead a 2048-bit key generated from the MODP group 14, by setting the tune.ssl.default-dh-param parameter to 2048, or even disabling DHE altogether if you are expecting every client to support ECDHE key exchange. Note that increasing the tune.ssl.default-dh-param will increase the CPU load on your server, and may therefore increase the connection establishment latency. If you cannot increase the DH key size above 1024-bit, please at least generate a custom DH group with the "openssl dhparam 2048" command, and add the result of this command to your certificate file. Best regards, [0]: https://weakdh.org/ [1]: https://wiki.mozilla.org/Security/Server_Side_TLS [2]: https://tools.ietf.org/html/rfc2409#section-6.2 -- Remi
signature.asc
Description: OpenPGP digital signature