[openssl-dev] [openssl.org #3164] [PATCH] require DH group of 1024 bits
How prophetic! We now require 768 and will do another bump to 1024 in the near future, so I'm resolving this ticket. Cheers, Emilia ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl.org #3164] [PATCH] require DH group of 1024 bits
Reject connections to TLS servers that select DH key exchange but offer a weak DH group. --- ssl/s3_clnt.c | 6 ++ ssl/ssl.h | 1 + ssl/ssl_err.c | 1 + 3 files changed, 8 insertions(+) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index bf1ef47..ef638c4 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -3481,6 +3481,12 @@ int ssl3_check_cert_and_algorithm(SSL *s) SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); goto f_err; } +else if ((alg_k (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + (dh == NULL || DH_size(dh)*8 1024)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_WEAK_DH_GROUP); + goto f_err; + } #ifndef OPENSSL_NO_DSA else if ((alg_k SSL_kDHd) !SSL_USE_SIGALGS(s) !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) diff --git a/ssl/ssl.h b/ssl/ssl.h index 013345e..36ffa6e 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -3073,6 +3073,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNSUPPORTED_SSL_VERSION 259 #define SSL_R_UNSUPPORTED_STATUS_TYPE 329 #define SSL_R_USE_SRTP_NOT_NEGOTIATED 369 +#define SSL_R_WEAK_DH_GROUP 394 #define SSL_R_WRITE_BIO_NOT_SET 260 #define SSL_R_WRONG_CERTIFICATE_TYPE383 #define SSL_R_WRONG_CIPHER_RETURNED 261 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index e663483..844c600 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -623,6 +623,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),unsupported ssl version}, {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),unsupported status type}, {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),use srtp not negotiated}, +{ERR_REASON(SSL_R_WEAK_DH_GROUP) ,weak dh group}, {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,write bio not set}, {ERR_REASON(SSL_R_WRONG_CERTIFICATE_TYPE),wrong certificate type}, {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,wrong cipher returned}, -- 1.8.4.rc3 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #3164] [PATCH] require DH group of 1024 bits
I think a better way to do this would be to have a config param that set the minimum acceptable size. I.e., a #define -- Principal Security Engineer Akamai Technology Cambridge, MA -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Daniel Kahn Gillmor via RT Sent: Thursday, November 07, 2013 6:55 AM Cc: openssl-dev@openssl.org Subject: [openssl.org #3164] [PATCH] require DH group of 1024 bits Reject connections to TLS servers that select DH key exchange but offer a weak DH group. --- ssl/s3_clnt.c | 6 ++ ssl/ssl.h | 1 + ssl/ssl_err.c | 1 + 3 files changed, 8 insertions(+) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index bf1ef47..ef638c4 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -3481,6 +3481,12 @@ int ssl3_check_cert_and_algorithm(SSL *s) SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); goto f_err; } +else if ((alg_k (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + (dh == NULL || DH_size(dh)*8 1024)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_WEAK_DH_GROUP); + goto f_err; + } #ifndef OPENSSL_NO_DSA else if ((alg_k SSL_kDHd) !SSL_USE_SIGALGS(s) !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) diff --git a/ssl/ssl.h b/ssl/ssl.h index 013345e..36ffa6e 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -3073,6 +3073,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNSUPPORTED_SSL_VERSION 259 #define SSL_R_UNSUPPORTED_STATUS_TYPE 329 #define SSL_R_USE_SRTP_NOT_NEGOTIATED 369 +#define SSL_R_WEAK_DH_GROUP 394 #define SSL_R_WRITE_BIO_NOT_SET 260 #define SSL_R_WRONG_CERTIFICATE_TYPE383 #define SSL_R_WRONG_CIPHER_RETURNED 261 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index e663483..844c600 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -623,6 +623,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),unsupported ssl version}, {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),unsupported status type}, {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),use srtp not negotiated}, +{ERR_REASON(SSL_R_WEAK_DH_GROUP) ,weak dh group}, {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,write bio not set}, {ERR_REASON(SSL_R_WRONG_CERTIFICATE_TYPE),wrong certificate type}, {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,wrong cipher returned}, -- 1.8.4.rc3 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3164] [PATCH] require DH group of 1024 bits
On Thu, Nov 07, 2013, Salz, Rich wrote: I think a better way to do this would be to have a config param that set the minimum acceptable size. I.e., a #define I think the best option is to have a compile time default with a runtime override for this and other related issues. The idea being that an application wont by accident use weak parameters but if (for whatever reason) it really wants to it can override this. I hope to look at adding a more comprehensive set of checks for other issues with an appropriate API to support it. In general we could exclude anything with less than (say) 80 bits security strength by default with the overrides mentioned above. That would cover both attempts to configure such parameters (e.g. server gets an error when an attempt is made to configure weak parameters) and attempts to use them (client receives weak parameters from a server). I'd be interested in suggestions for other related issues, for example: 1. Keys in certificate chains. For example 512 bit RSA keys. Again best a client can do is to reject them. 2. Use of weak ciphersuites. Does anyone still want/need export ciphersuites? For this we could not include weak ciphersuites in ClientHello on the client side and the server not pick them if a client indicates support. 3. Use of algorithms with known security weaknesses: for example MD5 in certificates. We already exclude MD2. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org