Re: DH params and multiple certificates in one VHost
On 19.04.2014 09:37, Falco Schwarz wrote: I successfully tested your attached patch with the latest 1.0.2 branch. The DH temp key now has the bit length of the used RSA key, regardless of SSLCertificate[Key]File order. Thanks for testing. Committed to trunk with r1588851 and proposed for backport to 2.4.x. Kaspar
Re: DH params and multiple certificates in one VHost
On 18.04.2014 23:19, Falco Schwarz wrote: On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor d...@fifthhorseman.netwrote: Looking at the code, it appears that ssl_callback_TmpDH() in modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all -- this probably needs to be updated. That was also my conclusion. It kinda makes sense that ECC keys are not matched, because there is no ECDSA+DH cipher. Right, there are no cipher suites which use ECDSA for authentication and ephemeral Diffie-Hellman keys (cf. openssl ciphers -v aECDSA). ssl_callback_TmpDH() is therefore irrelevant for the ECC case (it is only called for DHE-* cipher suites, not for ECDHE-* ones). For ephemeral ECDH, mod_ssl is relying on automatic curve selection, if available (OpenSSL 1.0.2 or later), see also [1]. However ssl_callback_TmpDH() would either have to iterate through all private keys or just read the first key in order to be consistent with DH / ECDH params. The problem is the one pointed out by Steve in [2] already, I think: in the callback, SSL_get_privatekey() doesn't get us the private key which is actually used for the current connection, it only returns the current key i.e. the last one we configured. Reindl, that is quite a good guide on how to setup certificates as of 2.4.9. With one noteworthy exception: putting the private key into its own SSLCertificateKeyFile is preferred over having it in SSLCertificateFile (BTW, Harald would be the first name, I assume you didn't intend to call him by his last name). Kaspar [1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3c52cc3c0d.1030...@velox.ch%3E [2] https://mail-archives.apache.org/mod_mbox/httpd-dev/201402.mbox/%3c53057121.70...@opensslfoundation.com%3E
Re: DH params and multiple certificates in one VHost
On Sat, Apr 19, 2014 at 8:19 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote: The problem is the one pointed out by Steve in [2] already, I think: in the callback, SSL_get_privatekey() doesn't get us the private key which is actually used for the current connection, it only returns the current key i.e. the last one we configured. [2] https://mail-archives.apache.org/mod_mbox/httpd-dev/201402.mbox/%3c53057121.70...@opensslfoundation.com%3E Oh my, I must have completely forgotten about [2]. I am sorry, I didn't intend to reopen the same issue again. Like Steve said, the right thing would probably be that OpenSSL actually returns the private key used by the connection. (and apologies Harald, I got confused by the displayed name.)
Re: DH params and multiple certificates in one VHost
On 19.04.2014 09:00, Falco Schwarz wrote: that OpenSSL actually returns the private key used by the connection. I just noticed [1], so you might want to try the attached (but untested) patch with 1.0.2-beta1 at least (beware of CVE-2014-0160 though, later versions preferred). Kaspar [1] https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=58b86e4235cd420f607819727d372af9f7a80224 Index: modules/ssl/ssl_engine_kernel.c === --- modules/ssl/ssl_engine_kernel.c (revision 1588426) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1344,9 +1344,15 @@ make_get_dh(rfc3526, 4096, 2) DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -EVP_PKEY *pkey = SSL_get_privatekey(ssl); -int type = pkey ? EVP_PKEY_type(pkey-type) : EVP_PKEY_NONE; +EVP_PKEY *pkey; +int type; +#ifdef SSL_CERT_SET_SERVER +SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); +#endif +pkey = SSL_get_privatekey(ssl); +type = pkey ? EVP_PKEY_type(pkey-type) : EVP_PKEY_NONE; + /* * OpenSSL will call us with either keylen == 512 or keylen == 1024 * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h).
Re: DH params and multiple certificates in one VHost
I successfully tested your attached patch with the latest 1.0.2 branch. The DH temp key now has the bit length of the used RSA key, regardless of SSLCertificate[Key]File order. Thank you, Kaspar. On Sat, Apr 19, 2014 at 9:11 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote: On 19.04.2014 09:00, Falco Schwarz wrote: that OpenSSL actually returns the private key used by the connection. I just noticed [1], so you might want to try the attached (but untested) patch with 1.0.2-beta1 at least (beware of CVE-2014-0160 though, later versions preferred). Kaspar [1] https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=58b86e4235cd420f607819727d372af9f7a80224
Re: DH params and multiple certificates in one VHost
On 04/18/2014 08:34 AM, Falco Schwarz wrote: As of httpd-2.4.7 the strength of DH temp keys is determined by the private key's bit length. I recently noticed the following behavior (using httpd-2.4.9 and openssl-1.0.2-beta2-dev): I am using multiple certificates for one VHost (ECC and RSA): SSLCertificateFile conf/ssl/example.org.ecc.cer SSLCertificateKeyFile conf/ssl/example.org.ecc.key SSLCertificateFile conf/ssl/example.org.rsa.cer SSLCertificateKeyFile conf/ssl/example.org.rsa.key If no DH params are specified in the first certificate, then the DH temp key is dependent on the last private key's bit length, instead of the first. So, if the ECC key is defined last, then the DH temp key will be 1024bit. This sounds like a mistake, unless you're using a remarkably small ECC key. The goal of basing the DH parameters on the size of the server's public key should be to match the cryptographic strength of the key exchange with the cryptographic strength of the server's public key authentication. If the server's ECC key is a 256-bit ECC key, that is (roughly) equivalent to a 128 bits symmetric cipher. A comparable discrete log Diffie-Hellman group should have a modulus of 3248 bits, according to ECRYPT [0]. Looking at the code, it appears that ssl_callback_TmpDH() in modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all -- this probably needs to be updated. --dkg [0] page 30 of http://www.ecrypt.eu.org/documents/D.SPA.20.pdf signature.asc Description: OpenPGP digital signature
Re: DH params and multiple certificates in one VHost
Am 18.04.2014 14:34, schrieb Falco Schwarz: As of httpd-2.4.7 the strength of DH temp keys is determined by the private key's bit length. I recently noticed the following behavior (using httpd-2.4.9 and openssl-1.0.2-beta2-dev): I am using multiple certificates for one VHost (ECC and RSA): SSLCertificateFile conf/ssl/example.org.ecc.cer SSLCertificateKeyFile conf/ssl/example.org.ecc.key SSLCertificateFile conf/ssl/example.org.rsa.cer SSLCertificateKeyFile conf/ssl/example.org.rsa.key If no DH params are specified in the first certificate, then the DH temp key is dependent on the last private key's bit length, instead of the first. So, if the ECC key is defined last, then the DH temp key will be 1024bit. If the RSA key is defined last, then the dh temp key will be 2048bit. From a users perspective it would be helpful if the DH temp key is always associated with the first certificate from a users perspective you should avoid multiple certs with recent httpd releases you can place *all* in one below the structure of our wildcard-cert-file whereever i have to specify a certificate or key it's the same single file and in fact you no longer need some config params at all with a PEM file built that way * our certificate * our key * GoDaddy intermediate certificate 1 * GoDaddy intermediate certificate 2 * ecc params * dh params if you have a 3072 or 4096 RSA key as recommended you should also consider set the DH params for older browsers not supporting ECDHE to 2048 bit, otherwise you break at least Firefox 1 - Firefox 3 #!/bin/bash openssl ecparam -out /data/pki/ec.pem -name prime256v1 openssl gendh -out /data/pki/dh.pem -2 2048 cat /data/pki/ec.pem /data/pki/dh.pem /data/pki/ecdh_params.pem rm -f /data/pki/ec.pem rm -f /data/pki/dh.pem chown root:root /data/pki/*.pem chmod 400 /data/pki/*.pem cat your.crt your.key ca-crt-1 ca-crt-2 /data/pki/ecdh_params.pem your-new-file.pem ___ FYI: GoDaddy has 3 certs in their package and one should according to https://www.ssllabs.com/ssltest/ not be included because it contains the anchor and is marked as chain issue -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN PRIVATE KEY- -END PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN EC PARAMETERS- -END EC PARAMETERS- -BEGIN DH PARAMETERS- -END DH PARAMETERS- signature.asc Description: OpenPGP digital signature
Re: DH params and multiple certificates in one VHost
On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor d...@fifthhorseman.netwrote: Looking at the code, it appears that ssl_callback_TmpDH() in modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all -- this probably needs to be updated. That was also my conclusion. It kinda makes sense that ECC keys are not matched, because there is no ECDSA+DH cipher. However ssl_callback_TmpDH() would either have to iterate through all private keys or just read the first key in order to be consistent with DH / ECDH params. Reindl, that is quite a good guide on how to setup certificates as of 2.4.9. Unfortunately you are describing what changed concerning certificate chains, I was talking about different algorithms for server authentication. I guess that was not exactly clear from my description, sorry. Either way, you cannot mix ECC and RSA keys in one file, you have to use multiple SSLCertificate[Key]File directives, see [1]. [1] http://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslcertificatefile