Hello, I recently had a look at how browsers react to DH key exchanges with bogus modulus values. here's what I found: http://blog.hboeck.de/archives/841-Diffie-Hellman-and-TLS-with-nonsense-parameters.html
And here is a test (warning: crashes some chrome/chromium versions) https://dh.tlsfun.de/ I wanted to bring this up here, because some openssl-based browser accept just about anything for the DH prime setting (including completely bogus values like 15). NSS seems to filter very small values (below 512). I wonder if I should report this to the browsers or if this is something openssl should fix. My suggestion would be that openssl as a client just rejects all DH parameters below 1024 bit. (I'd like to say reject below 2048, but I know that's not feasible - at least not today) To give some context: It is not immediately a security issue to allow insecure DH parameters, because usually TLS is used to protect connections between two parties that should trust each other. However, the recent triple handshake issue brought up a problem that exploited weak DH parameters. But it is important to say that there is more than one way to weaken DH parameters and not all of them can be tested in a reasonable way by the client. (e.g. testing if a prime really is a prime is not efficiently possible for large key exchanges - and there are also weak primes) cu, -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
signature.asc
Description: PGP signature
