[openssl-dev] Weak DH and the Logjam
Hubert Kario
hkario at redhat.com
Wed May 20 13:14:07 UTC 2015
On Wednesday 20 May 2015 07:11:42 mancha wrote:
> Hello.
>
> Given Adrien et al. recent paper [1] together with their
> proof-of-concept attacks against 512-bit DH groups [2], it might be a
> good time to resurrect a discussion Daniel Kahn Gillmor has started
> here in the past.
>
> Namely, whether it makes sense for OpenSSL to reject DH groups smaller
> than some minimum. Say, 1024 bits (or more). Currently, a client
> implementation built on OpenSSL will happily accept small DH groups from
> a peer (e.g. 16-bit DH group [3]).
>
> [1] https://weakdh.org/imperfect-forward-secrecy.pdf
> [2] https://weakdh.org/logjam.html
> [3] openssl s_client -connect demo.cmrg.net:443 < /dev/null
>
> --mancha
>
> PS My understanding is Google Chrome will soon be rejecting all DH
> groups smaller than 1024 bits.
I think it should be user configurable (preferably using a config file, as
environment variables are cleared by daemons.
Firstly, if you need to interoperate with Java 6, you'll need to accept 768
bit DH.
Secondly, some people may be uncomfortable with accepting 1024 bit DH.
Thirdly, hardcoding a 1024 bit minimum just pushes the problem forward, to
time when 1024 can be broken as easily as 512 bit is now, but then the target
servers won't be ones that enable export grade DHE but vanilla Apache 2.2
servers and others like it.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150520/b34448f5/attachment.sig>
More information about the openssl-dev
mailing list