RE: [openssl.org #3164] [PATCH] require DH group of 1024 bits

2013-11-07 Thread Salz, Rich 
I think a better way to do this would be to have a config param that set the 
minimum acceptable size. I.e., a #define

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA



-Original Message-
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On 
Behalf Of Daniel Kahn Gillmor via RT
Sent: Thursday, November 07, 2013 6:55 AM
Cc: openssl-dev@openssl.org
Subject: [openssl.org #3164] [PATCH] require DH group of 1024 bits 

Reject connections to TLS servers that select DH key exchange but offer a weak 
DH group.
---
 ssl/s3_clnt.c | 6 ++
 ssl/ssl.h | 1 +
 ssl/ssl_err.c | 1 +
 3 files changed, 8 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index bf1ef47..ef638c4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3481,6 +3481,12 @@ int ssl3_check_cert_and_algorithm(SSL *s)

SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
goto f_err;
}
+else if ((alg_k  (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 
+   (dh == NULL || DH_size(dh)*8  1024))
+   {
+   SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_WEAK_DH_GROUP);
+   goto f_err;
+   }
 #ifndef OPENSSL_NO_DSA
else if ((alg_k  SSL_kDHd)  !SSL_USE_SIGALGS(s) 
!has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 013345e..36ffa6e 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -3073,6 +3073,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNSUPPORTED_SSL_VERSION   259
 #define SSL_R_UNSUPPORTED_STATUS_TYPE   329
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED   369
+#define SSL_R_WEAK_DH_GROUP 394
 #define SSL_R_WRITE_BIO_NOT_SET 260
 #define SSL_R_WRONG_CERTIFICATE_TYPE383
 #define SSL_R_WRONG_CIPHER_RETURNED 261
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index e663483..844c600 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -623,6 +623,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=  
{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),unsupported ssl version},  
{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),unsupported status type},  
{ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),use srtp not negotiated},
+{ERR_REASON(SSL_R_WEAK_DH_GROUP) ,weak dh group},
 {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,write bio not set},
 {ERR_REASON(SSL_R_WRONG_CERTIFICATE_TYPE),wrong certificate type},
 {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,wrong cipher returned},
--
1.8.4.rc3

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3164] [PATCH] require DH group of 1024 bits

2013-11-07 Thread Dr. Stephen Henson 
On Thu, Nov 07, 2013, Salz, Rich wrote:

 I think a better way to do this would be to have a config param that set the
 minimum acceptable size. I.e., a #define
 

I think the best option is to have a compile time default with a runtime
override for this and other related issues. The idea being that an
application wont by accident use weak parameters but if (for whatever reason) 
it really wants to it can override this.

I hope to look at adding a more comprehensive set of checks for other issues
with an appropriate API to support it.

In general we could exclude anything with less than (say) 80 bits security
strength by default with the overrides mentioned above.

That would cover both attempts to configure such parameters (e.g. server gets
an error when an attempt is made to configure weak parameters) and attempts to
use them (client receives weak parameters from a server).

I'd be interested in suggestions for other related issues, for example:

1. Keys in certificate chains. For example 512 bit RSA keys. Again best a
client can do is to reject them.

2. Use of weak ciphersuites. Does anyone still want/need export ciphersuites?
For this we could not include weak ciphersuites in ClientHello on the client
side and the server not pick them if a client indicates support.

3. Use of algorithms with known security weaknesses: for example MD5 in
certificates. We already exclude MD2.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org