[openssl-dev] [openssl.org #3643] SSL_CTX_set_tmp_dh_callback doc misleading WRT "keylength" param
christian mock via RT
rt at openssl.org
Wed Dec 31 14:42:19 UTC 2014
The documentation for SSL_CTX_set_tmp_dh_callback and
SSL_set_tmp_dh_callback is misleading with regard to the "keylength"
parameter provided to the callback.
The documentation and the example imply that the "keylength" parameter
will be adequate to whatever the used RSA key is, when in reality they
can only ever take the values 512 or 1024 (The same seems to apply for
the ECDH callback, although I'm not 100% positive).
Although one could argue that it is not stated explicitely, this seems
to be a widespread misunderstanding; the EXAMPLE section in
doc/ssl/SSL_CTX_set_tmp_dh_callback.pod falls into this trap, as did
the INN2 TLS code, and probably also Apache until they fixed it in
2.4.7.
Also, a recent paper (http://www.w2spconf.com/2014/papers/TLS.pdf)
finds "we discovered that 82.9% of the servers supporting DHE used
Diffie-Hellman parameters that are weaker than their RSA signature
strengths."
So I think this is a real-world security problem.
Details (in 1.0.1j):
When calling the callback, the "keylength" parameter is
generated thusly (s3_srvr.c:1632):
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
which can only ever return 512 or 1024 (ssl_locl.h:439):
#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
Regards,
cm.
--
>I walked past a church last week and noticed a small sign
>indicating "Low Mass" early in the morning.
They worship $DIETY, for they are seekers of the Lite.
-- Jeffrey M. Vinocur and Anthony de Boer
More information about the openssl-dev
mailing list