TLS, DH parameters

christian mock cm at tahina.priv.at
Wed Nov 12 19:10:53 UTC 2014 

As said previously, I found that even with a 3072 bit RSA key, nnrpd
only offers up 1024 bit DH parameters for Diffie-Hellman negotiation.

Given that the current recommendation for RSA keys is at least 2048
bits, and that the DH key should be of the same size (or it becomes
the weakest link), this is bad.

I now found the reason: nnrpd/tls.c tries, in tmp_dh_cb, to load or
generate DH parameters of the size of the parameter "keylength". The
author probably assumed from the openssl documentation (as I did) that
this "keylength" is in fact the length of the RSA private key.

But it turns out it is not -- deep in the guts of the openssl code one
finds that this parameter can only ever be 512 or 1024, depending on
whether an "export" cipher is negotiated or not. Why there's an
additional "export" parameter to the callback is anyone's guess.

Coding a fix for this would be easy. Deciding on how it should look
like probably not, because compatibility.

Java versions up to 1.6 or 1.7 are said to have problems with DH keys
> 1024 bits. Some firefox (and thunderbird?) versions may have
problems with keys > 2048 bits. Other libraries and clients are
anyone's guess.

>From a technical POV, my idea of a solution would be:

a) compile in a list of known-good DH params of various sizes (the IKE
  DH groups, RFC3526, plus for 512 bit the current SKIP group)

b) select the smallest group >= RSA key size

c) use the chosen group (or the 512-bit one for export ciphers)

d) allow the administrator to configure a file to load his preferred DH
   params from, overriding b).

The problem I see with this is that the unwitting administrator, on
upgrade, will have his users complain about mysterious connection
failures that will be very hard to debug, and, given the miserable
quality of user interfaces, impossible to distinguish from any other
cause of connection failures.

The backward-compatible solution would be to leave it like it is and
just provide the option to load your own parameters (d above). No
surprises, and one can still configure stronger parameters.

cm.

-- 
Hat irgendwer schlechte Schwingungen in seiner globalen
Eierkuchen-Aura bekommen weil man ihm gesagt hat er soll bitte nicht
andauernd mit Vollquotes in 10 Gruppen gleichzeitig crossposten?
 Albert Koellner in at.usenet

More information about the inn-workers mailing list