On Tue, Nov 05, 2013 at 11:43:54PM -0500, Daniel Kahn Gillmor wrote: > I noticed recently that OpenSSL as a client is happy to connect to a > server that offers a trivially-crackable DH group. > > You can try it out at https://demo.cmrg.net/ > > Other modern TLS implementations will refuse to connect to this server > because the DHE group is only 16 bits. OpenSSL happily connects and > does not inform the user that their expected message authenticity and > confidentiality and integrity guarantees are not being met. I consider > this a security failure in the key exchange, just as i would consider it > a failure for OpenSSL to silently accept a known-broken cipher or MAC > from its peer. > > I'd like to propose that the OpenSSL client implementation reject > connections to peers that offer DH groups < 1024 bits, rather than > failing open. The attached patch should have this effect.
I filed a ticket about this ealier (#3120) You can see the discussion about that here: http://openssl.6102.n7.nabble.com/openssl-org-3120-Minimum-size-of-DH-td46401.html Which basicly says that clients can reject it if they want, but I rather see some sane default. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
