[openssl-users] What key length is used for DHE by default ?

Mon May 25 00:31:43 UTC 2015

On 24/05/2015 05:33, mancha wrote:
> On Fri, 22 May 2015 at 11:17:21AM +0100, Matt Caswell wrote:
>> On 22/05/15 11:11, Nayna Jain wrote:
>>> Hi,
>>>
>>> With the latest logjam attack, as I was trying to verify if my
>>> server (lighttpd) accepts DHE_xxx  ciphers,  I saw that it accepted
>>> and I didn't do any configuration setting done for DH parameters
>>> explicitly.
>>>
>>> But I couldn't verify what is the key length did it use by default
>>> 512/1024/2048 ?
>>>
>>> Eg. the one it negotiated was DHE-RSA-AES128-SHA256  and for TLSv1.2
>>> protocol ?
>>>
>>> Will the key length be different for different protocols like
>>> SSLv3/TLSv1.0/TLSv1.1/TLSv1.2?  If yes , then what for each of them.
>> How that is configured depends on the application that is using
>> OpenSSL. A quick google search throws up this:
>>
>> http://redmine.lighttpd.net/projects/1/wiki/docs_ssl
>>
>> 'Diffie-Hellman and Elliptic-Curve Diffie-Hellman parameters
>> Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement
>> protocols will be supported in lighttpd 1.4.29. By default,
>> Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement
>> protocols use, respectively, the 1024-bit MODP Group with 160-bit
>> prime order subgroup from RFC 5114 and "prime256v1" (also known as
>> "secp256r1") elliptic curve from RFC 4492. The Elliptic-Curve
>> Diffie-Hellman key agreement protocol is supported in OpenSSL from
>> 0.9.8f version onwards. For maximum interoperability, OpenSSL only
>> supports the "named curves" from RFC 4492.
>>
>> Using the ssl.dh-file and ssl.ec-curve configuration variables, you
>> can define your own set of Diffie-Hellman domain parameters. For
>> example:
>>
>> ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem"
>> ssl.ec-curve = "secp384r1"'
> OpenSSL users might like to know you can use s_client to diagnose a
> server's Diffie-Hellman profile. Starting with OpenSSL 1.0.2 you can do:
>
> $ openssl s_client -connect www.example.com:443 -cipher "EDH" | grep
> "Server Temp Key"
>
> If you're testing a server that uses a small (weak) DH group the above
> command might output something like:
>
> Server Temp Key: DH, 512 bits
>
> Note: If you're on OpenSSL 1.0.1 you'll need to apply my back port to
> have this functionality:
>
> https://twitter.com/mancha140/status/602241770961907712
>
> --mancha
>
> P.S. That command also shows the elliptic curve name and bit size when
> using ECDHE and the RSA modulus bit size when RSA is used for the
> temporary key (as done by some export ciphers).
>
BEWARE: If the application is written to use different
DH key lengths for different ciphers (as is traditional),
this will only show the DH group for the current cipher,
not for any other cipher.  In the most common case,
selecting one of the old "export" ciphers will switch
from the longer DH group to a 512 bit DH group!


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded