sorry some mails dose not reach the list, i will add the information inline: 2015-03-10 18:23 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net >:
> Robert, > > On 3/10/15 12:16 PM, Robert Paasche wrote: > > The problem is, that openssl call the method "SSL_callback_tmp_DH" with > > keylen value of 512 or 1024. This cause that the cipher of the ssl > > handshake (key exchange) for a ssl-connection will never be longer as > > 1024 bit, even if the private key is longer (2048 bit and more are very > > common). > > > > The needed changes to ensure that the used cipher has at least the > > length of the private key are posted as a comment to the > > ticket https://bz.apache.org/bugzilla/show_bug.cgi?id=56108 > > > > Explained code changes: > > > > Get the Privatekey: > > pkey = SSL_get_privatekey(ssl); > > type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; > > > > if the encryption algorithem is either RSA or DSA we override the given > > keylen parameter to match the length of the private key: > > keylen = EVP_PKEY_bits(pkey); > > So if using a 4096-bit RSA key, a 4096-bit ephemeral DH key will be > generated on the fly for the handshake? That seems excessive. > > It might make more sense to allow the client (Tomcat, in this case, and > therefore the administrator who is configuring the server) to specify > the size of the DH key size. > This an option too. Httpd offers alternative way to do this. > > > This changes ensure Perfect Forward Secrecy (PFS) for DH key exchange > usage. > > Isn't DH key-exchange always PFS? The only question is of how many bits > the ephemeral key will be. > > Yes its always PFS but the question is how effective. DH with keys of 512 and 1024 bit length are declared as insecure at least since PRISM in 2013. This the reasons apache httpd added the changes to mod_ssl mentioned by rainer. The session key will be somewhere in the 128-256 bit range, and if > 1024-bit DH is roughly equivalent to an 80-bit symmetric key, then > obviously that should change. But, if you have a large asymmetric key > (e.g. 4906-bit), should the handshake really use that "much"? > > The changes is based of the lines 1339 - 1357 from the following file of > > mod_ssl: > > > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup > > So the short answer is that httpd did this about 18 months ago: > > > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?r1=1510527&r2=1542327&diff_format=h > > Those changes were far more extensive, including the complete removal of > ephemeral RSA, which was only available for export-quality (=garbage) > ciphers. > > Perhaps we should adopt the same stance. > > -chris > > DH with keys of 512 and 1024 bit length are declared as insecure at least since PRISM in 2013. This the reasons apache httpd added the changes to mod_ssl mentioned by rainer. For example its reduce your scoring from ssllabs. http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html#.VP8lU1WG-X4 https://blog.cloudflare.com/cloudflare-prism-secure-ciphers/ Best, Robert
