You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/07/06 15:12:42 UTC
DO NOT REPLY [Bug 49559] New: Patch to add user-specified
Diffie-Hellman parameters
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Summary: Patch to add user-specified Diffie-Hellman parameters
Product: Apache httpd-2
Version: 2.2.14
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: erwann.abalea@keynectis.com
Created an attachment (id=25714)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25714)
Allow admin-choosen DH parameters for DHE enabled cipher-modes
In order to be EAL4+ validated for one of our customers, Apache needs to be
able to support 2048+ bits group size for Diffie-Hellman parameters. Right now,
temporary parameters are 512 and 1024 bits only.
We can still disallow DH at all, leaving only RSA for authentication and
pre-master secret encryption, but that's a suboptimal solution, as we then
loose forward secrecy.
Adding a 2048 bits DH temporary key into mod_ssl is not possible, since OpenSSL
would only ask for a 512/1024 bits one, depending on the "exportability" of the
choosen ciper-mode.
This patch adds a new configuration directive, "SSLDHParametersFile <file>",
allowing the administrator to supply its own Diffie-Hellman parameters
("openssl dhparam 2048 > dhparam2048.pem" to generate 2048 bits ones, for
example).
If this directive is specified and parameters are found in the supplied file,
then these parameters will be used whenever DHE is used to negociate the
pre-master secret. If this directive is not used, then it works like it does
now, leaving OpenSSL ask mod_ssl for a set of parameters of the desired size
(512 or 1024 bits).
We'd like this to be evaluated, discussed, and if possible, applied.
Regards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
walch.martin@web.de changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |walch.martin@web.de
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #10 from falco <hi...@falco.me> ---
(In reply to Kaspar Brand from comment #8)
I applied your patch in my testing environment with httpd-2.4.6 and it works as
advertised. After appending DH parameters to the certificate file, all DH
ciphers were using the expected key size.
I found it a bit confusing that you actually have to put the params alongside
your certificate into one file. One has to pay more attention to these
additional settings on changing the certificate.
But if it is actually way more easy to implement DH / ECDHE parameters this
way, then it is probably the way to go.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|FixedInTrunk |
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #19 from Kaspar Brand <as...@velox.ch> ---
Fixed in 2.4.7 with r1542327.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Ivan Ristic <iv...@webkreator.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ivanr@webkreator.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
MikeM <mi...@aquaorange.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michaelm12-asfbugzilla@aqua
| |orange.net
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #7 from harald.dunkel@aixigo.de ---
I'd love to see this added to 2.2.x and 2.4.y
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Tom Ritter <to...@ritter.vg> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tom@ritter.vg
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Brian Smith <br...@briansmith.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |brian@briansmith.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #30804|0 |1
is obsolete| |
--- Comment #13 from Kaspar Brand <as...@velox.ch> ---
Comment on attachment 30804
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30804
PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and
2.4.x)
For trunk, this issue has been addressed with r1527295 (with updated
documentation under
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatefile). A
backport proposal for 2.4.x will likely follow.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #12 from Leonardo <fr...@gmail.com> ---
DH-parameters should always be at least the same size as the SSL certificate,
so if I use 4096 or even 8192 bit for the certificate a DH parameter with only
2048 bit would effectively weaken the whole connection down to 2048 bit, which
we don't want and in a few years we would have the exactly same situation ( DH
parameters too weak and not FULLY selectable) as we do right now
So please consider this and let the admin choose freely, but at least make sure
DH parameters bits are never smaller than SSL certificate bits!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #16 from nick@noodles.net.nz ---
Sorry, was a config error on my side. Patch works well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Erwann Abalea <er...@keynectis.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.2.14 |2.4-HEAD
--- Comment #2 from Erwann Abalea <er...@keynectis.com> ---
A new version of the patch has been provided, based on httpd 2.4.2.
When generating your own DH parameters, add the "-dsaparam" option to openssl
commandline, this speeds up the handshake by about 15% for a 1024bits prime to
30% for a 2048bits prime.
With "-dsaparam" option, the private key is limited to 160 bits for a <2048bits
prime, and 256 bits for a >=2048bits one. You then have 80bits of security for
a 1024bits prime, but based on NFS results you can't get much.
2048bits prime with a 256bits private key length gives you 128bits of security.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Daniel Kahn Gillmor <dk...@fifthhorseman.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dkg@fifthhorseman.net
--- Comment #17 from Daniel Kahn Gillmor <dk...@fifthhorseman.net> ---
I'm glad to see this patch being backported to 2.4. What are the
considerations for backporting it to the 2.2.x branch as well?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Lars Wendler <po...@gentoo.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |polynomial-c@gentoo.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #8 from Kaspar Brand <as...@velox.ch> ---
Created attachment 30804
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30804&action=edit
PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and
2.4.x)
I'm fine with the idea, but the implementation in the patches submitted so far
is too complex, in my opinion (in particular the SSL_read_DHparams stuff, which
tries to support/read three different formats).
Here is an alternative proposal:
- only support PEM-formatted parameters (-----BEGIN DH PARAMETERS---- /
-----END DH PARAMETERS-----)
- use the existing SSLCertificateFile directive to support per-vhost, custom
DHE and ECDHE parameters
Attached is a - lightly tested - proof of concept, to be applied to either
trunk or 2.4.x... testing and feedback welcome. To specify EC curve names,
append the output of "openssl ecparam -name secp521r1" or your favorite curve
to SSLCertificateFile (of course the docs for SSLCertificateFile would have to
be extended, if there is a general agreement on taking this approach).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #6 from Christoph von Wittich <Ch...@ApiViewer.de> ---
Would someone please apply this patch to 2.2.x and 2.4.x ... ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #11 from Kaspar Brand <as...@velox.ch> ---
(In reply to Erwann Abalea from comment #9)
> This function is similar to SSL_read_X509 and SSL_read_PrivateKey defined in
> the same file, and used by the module to read the corresponding objects.
Perhaps this is an opportunity to clean up some mod_ssl cruft... I just took an
extended proposal to the mailing list, to stir some further discussion:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
Additionally, I think we should consider to use 2048-bit DH parameters by
default if the cert's RSA/DSA key is 2048 bits or more (so that sysadmin's
don't have to generate their custom DH parameters to get more than 1024 bits
for DHE). Changing this by default is probably debatable, and therefore another
reason I'm taking it to the list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #9 from Erwann Abalea <er...@keynectis.com> ---
(In reply to Kaspar Brand from comment #8)
> Created attachment 30804 [details]
> PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and
> 2.4.x)
>
> I'm fine with the idea, but the implementation in the patches submitted so
> far is too complex, in my opinion (in particular the SSL_read_DHparams
> stuff, which tries to support/read three different formats).
This function is similar to SSL_read_X509 and SSL_read_PrivateKey defined in
the same file, and used by the module to read the corresponding objects.
That said, I'm not fluent in Apache internals, and I admit some things may have
been done more easily. I tried to mimic how already existing elements (keys and
certs) were declared, registered and used, when adding a new element type
(DHParams).
> - use the existing SSLCertificateFile directive to support per-vhost, custom
> DHE and ECDHE parameters
The original patch is also vhost-aware.
It doesn't know about ECDHE, that's true. That wasn't critical at that time
(2010) because nobody used ECDHE, and even today the used curve is the standard
NIST P256, offering 128bits of security in theory. Since a few weeks, some
people want to be able to specify the curve used, there's nothing wrong with
that.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #3 from MikeM <mi...@aquaorange.net> ---
Any idea on when this might make it into 2.4.x or 2.2.x?
Many thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #4 from Leonardo <fr...@gmail.com> ---
I would like to see this added to 2.2.x and 2.4.x too!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
D <da...@taverner.cs.berkeley.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |daw-bugzilla@taverner.cs.be
| |rkeley.edu
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #15 from nick@noodles.net.nz ---
The patch https://people.apache.org/~kbrand/mod_ssl-2.4.x-ekh.diff seems to
break TLS 1.1 and 1.2 on my setup (RHEL 6.x, apache 2.4.6, openssl 1.0.1e). I
haven't had a chance to look into it further, but using ssllabs.com it no
longer showed me as supporting > TLS 1.0
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #20 from Jackie Rosen <ja...@hushmail.com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49559] Patch to add user-specified Diffie-Hellman
parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Erwann Abalea <er...@keynectis.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #28699|0 |1
is obsolete| |
--- Comment #18 from Kaspar Brand <as...@velox.ch> ---
Comment on attachment 28699
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28699
Updated patch for 2.4.2
Marking as obsolete, since a different approach has been implemented in 2.4.x.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
apache@regatus.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |apache@regatus.net
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #1 from Erwann Abalea <er...@keynectis.com> ---
Created attachment 28699
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28699&action=edit
Updated patch for 2.4.2
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
--- Comment #5 from Geoffroy GRAMAIZE <ge...@gramaize.eu> ---
In addition, Elliptic Curve choice should also be given to the server admin in
a similar way (e.g. SSLCurveList <enabled_curve_list> ). Tell the admin to
execute 'openssl ecparam -list_curves' to get a list of the supported curves.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Tj <0....@iam.tj> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |0.apache@iam.tj
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49559] Patch to add user-specified Diffie-Hellman parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|PatchAvailable |FixedInTrunk
--- Comment #14 from Kaspar Brand <as...@velox.ch> ---
Backport to 2.4.x proposed with r1528154. Patch available at
https://people.apache.org/~kbrand/mod_ssl-2.4.x-ekh.diff.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org