Re: OpenSSL prime EDH parameters

[Viktor Dukhovni]

On Sun, Sep 01, 2013 at 07:24:24PM +0000, Viktor Dukhovni wrote:

>     http://archives.neohapsis.com/archives/postfix/2013-09/0003.html
> 
> Peer Heinlein reports that some Exim SMTP clients fail to establish
> a TLS session with Postfix SMTP servers because Exim enforces a
> minimum prime size of 2048-bits for MODP EDH.

On a related note, this is a problem with GnuTLS pushing the envelope
too aggressively.  Since the TLS protocol does not support negotiation
of the DH parameters between client and server, client enforcement
of strong DH parameters that exceed common practice is rather
unwise.  Before TLS clients start being pedantic about key lengths
in auxiliary algorithms, most server implementations need to be
updated to implement said key lengths with corresponding SSL
cipher-suites.

Looking at the source code of GnuTLS 3.2.4 (really master branch
from "git" which is 3.2.4 plus some new code) I see that with GnuTLS
priority strings the "Normal" security level defaults to a minimum
DH bit length of 2432, which is perhaps sound cryptography, but poor
engineering:

  typedef struct
  {
    const char *name;
    gnutls_sec_param_t sec_param;
    unsigned int bits;                     /* security level */
    unsigned int pk_bits;                  /* DH, RSA, SRP */
    unsigned int dsa_bits;                 /* bits for DSA. Handled differently 
since
                                   * choice of key size in DSA is political.
                                   */
    unsigned int subgroup_bits;            /* subgroup bits */
    unsigned int ecc_bits;                 /* bits for ECC keys */
  } gnutls_sec_params_entry;

  static const gnutls_sec_params_entry sec_params[] = {
    {"Insecure", GNUTLS_SEC_PARAM_INSECURE, 0, 0, 0, 0, 0},
    {"Export", GNUTLS_SEC_PARAM_EXPORT, 42, 512, 0, 0, 0},
    {"Very weak", GNUTLS_SEC_PARAM_VERY_WEAK, 64, 727, 0, 0, 0},
    {"Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1024, 160, 160},
    {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160},
    {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192},
    {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224},
    {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256},
    {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512},
    {NULL, 0, 0, 0, 0, 0}
  };

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org