You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Robert Paasche <r....@pripares.com> on 2015/03/10 17:16:32 UTC
Unsecure use of DH-Cipher
Hi guys,
as requested by chris some explanation to the problem.
The problem is, that openssl call the method "SSL_callback_tmp_DH" with keylen
value of 512 or 1024. This cause that the cipher of the ssl handshake (key
exchange) for a ssl-connection will never be longer as 1024 bit, even if
the private key is longer (2048 bit and more are very common).
The needed changes to ensure that the used cipher has at least the length
of the private key are posted as a comment to the ticket
https://bz.apache.org/bugzilla/show_bug.cgi?id=56108
Explained code changes:
Get the Privatekey:
pkey = SSL_get_privatekey(ssl);
type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
if the encryption algorithem is either RSA or DSA we override the given
keylen parameter to match the length of the private key:
keylen = EVP_PKEY_bits(pkey);
This changes ensure Perfect Forward Secrecy (PFS) for DH key exchange usage.
The changes is based of the lines 1339 - 1357 from the following file of
mod_ssl:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup
For a more detailed description of this problem can be found on:
http://security.stackexchange.com/a/42816
Best,
Robert
Robert Paasche
Senior Developer
pripares GmbH
Altheimer Eck 2
80331 München
Tel +49 (0)89 45 22 808 - 30
Fax +49 (0)89 45 22 808 - 58
Mail r.paasche@pripares.com
Web www.pripares.com
Handelsregister: Registergericht München HRB 138701
Sitz der Gesellschaft: München
Geschäftsführer: Aßmann Christoph, Ertl Andreas
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail und der darin enthaltenen Informationen sind nicht
gestattet.
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
2015-03-10 16:26 GMT+01:00 Christopher Schultz <chris@christopherschultz.net
>:
> Robert,
>
> On 3/10/15 10:59 AM, Robert Paasche wrote:
> > this may be a little offtopic, but I postet a fix for the native-library
> at
> > bug https://bz.apache.org/bugzilla/show_bug.cgi?id=56108.
>
> I saw that comment and proposed patch. I must admit I don't quite
> understand both the problem and the solution (yet). I'd be happy to hear
> an in-depth explanation in another thread. Care to start one and give me
> a quick education?
>
> > The fix is based on the mod_ssl implementation of the httpd project for
> the
> > DH-based key exchange. This ensures that the used DH-Cipher is at least
> the
> > size of the private-key, otherwise the Cipher has a length of only 512 or
> > 1024 bits. Is it possible to release this fix within Tomcat 7.0.60?
>
> That depends upon the status of tcnative. If we can get a release done
> for tcnative before Violetta rolls 7.0.60, then it can go in. Otherwise,
> it'll have to wait for 7.0.61. I suspect that 7.0.61 isn't going to be
> months away, so it wouldn't be terrible if tcnative had to wait.
>
> -chris
>
>
Re: Unsecure use of DH-Cipher
Posted by Robert Paasche <r....@pripares.com>.
A DH Cipher of length 2048 bits uses a prime of 256 so even a private key
of 8192 bits should match the requirements of java 7.
Example:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits (p: 256, g: 1,
Ys: 256)
p = prime
Robert Paasche
Senior Developer
pripares GmbH
Altheimer Eck 2
80331 München
Tel +49 (0)89 45 22 808 - 30
Fax +49 (0)89 45 22 808 - 58
Mail r.paasche@pripares.com
Web www.pripares.com
Handelsregister: Registergericht München HRB 138701
Sitz der Gesellschaft: München
Geschäftsführer: Aßmann Christoph, Ertl Andreas
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail und der darin enthaltenen Informationen sind nicht
gestattet.
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
2015-03-10 17:40 GMT+01:00 Rainer Jung <ra...@kippdata.de>:
> Am 10.03.2015 um 17:36 schrieb Rainer Jung:
>
> Am 10.03.2015 um 17:16 schrieb Robert Paasche:
>>
>>> Hi guys,
>>>
>>> as requested by chris some explanation to the problem.
>>>
>>> The problem is, that openssl call the method "SSL_callback_tmp_DH"
>>> with keylen
>>> value of 512 or 1024. This cause that the cipher of the ssl handshake
>>> (key
>>> exchange) for a ssl-connection will never be longer as 1024 bit, even if
>>> the private key is longer (2048 bit and more are very common).
>>>
>>> The needed changes to ensure that the used cipher has at least the length
>>> of the private key are posted as a comment to the ticket
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56108
>>>
>>> Explained code changes:
>>>
>>> Get the Privatekey:
>>> pkey = SSL_get_privatekey(ssl);
>>> type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
>>>
>>> if the encryption algorithem is either RSA or DSA we override the given
>>> keylen parameter to match the length of the private key:
>>> keylen = EVP_PKEY_bits(pkey);
>>>
>>> This changes ensure Perfect Forward Secrecy (PFS) for DH key exchange
>>> usage.
>>>
>>> The changes is based of the lines 1339 - 1357 from the following file of
>>> mod_ssl:
>>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/
>>> modules/ssl/ssl_engine_kernel.c?view=markup
>>>
>>>
>>> For a more detailed description of this problem can be found on:
>>> http://security.stackexchange.com/a/42816
>>>
>>
>> Some more data points: the change in httpd was introduced by
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1542327
>>
>> in November. It is a backport to httpd 2.4 from trunk of the following 5
>> changes:
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1526168
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1527291
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1527294
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1527295
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1527926
>> (not relevant here)
>>
>> The r1527295 change contains the following change which IMHO is the one
>> in question:
>>
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/
>> ssl_engine_kernel.c?r1=1527295&r2=1527294&pathrev=1527295
>>
>>
>> Most of the other listed changes might be interesting as well.
>>
>
> According to
>
> http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh
>
> there could be interop problems with Java 7 clients and DH params with
> primes longer than 1024 bits.
>
>
> Rainer
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Unsecure use of DH-Cipher
Posted by Rainer Jung <ra...@kippdata.de>.
Am 10.03.2015 um 17:36 schrieb Rainer Jung:
> Am 10.03.2015 um 17:16 schrieb Robert Paasche:
>> Hi guys,
>>
>> as requested by chris some explanation to the problem.
>>
>> The problem is, that openssl call the method "SSL_callback_tmp_DH"
>> with keylen
>> value of 512 or 1024. This cause that the cipher of the ssl handshake
>> (key
>> exchange) for a ssl-connection will never be longer as 1024 bit, even if
>> the private key is longer (2048 bit and more are very common).
>>
>> The needed changes to ensure that the used cipher has at least the length
>> of the private key are posted as a comment to the ticket
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56108
>>
>> Explained code changes:
>>
>> Get the Privatekey:
>> pkey = SSL_get_privatekey(ssl);
>> type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
>>
>> if the encryption algorithem is either RSA or DSA we override the given
>> keylen parameter to match the length of the private key:
>> keylen = EVP_PKEY_bits(pkey);
>>
>> This changes ensure Perfect Forward Secrecy (PFS) for DH key exchange
>> usage.
>>
>> The changes is based of the lines 1339 - 1357 from the following file of
>> mod_ssl:
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup
>>
>>
>> For a more detailed description of this problem can be found on:
>> http://security.stackexchange.com/a/42816
>
> Some more data points: the change in httpd was introduced by
>
> http://svn.apache.org/viewvc?view=revision&revision=1542327
>
> in November. It is a backport to httpd 2.4 from trunk of the following 5
> changes:
>
> http://svn.apache.org/viewvc?view=revision&revision=1526168
>
> http://svn.apache.org/viewvc?view=revision&revision=1527291
>
> http://svn.apache.org/viewvc?view=revision&revision=1527294
>
> http://svn.apache.org/viewvc?view=revision&revision=1527295
>
> http://svn.apache.org/viewvc?view=revision&revision=1527926
> (not relevant here)
>
> The r1527295 change contains the following change which IMHO is the one
> in question:
>
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?r1=1527295&r2=1527294&pathrev=1527295
>
>
> Most of the other listed changes might be interesting as well.
According to
http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh
there could be interop problems with Java 7 clients and DH params with
primes longer than 1024 bits.
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Unsecure use of DH-Cipher
Posted by Rainer Jung <ra...@kippdata.de>.
Am 10.03.2015 um 17:16 schrieb Robert Paasche:
> Hi guys,
>
> as requested by chris some explanation to the problem.
>
> The problem is, that openssl call the method "SSL_callback_tmp_DH" with keylen
> value of 512 or 1024. This cause that the cipher of the ssl handshake (key
> exchange) for a ssl-connection will never be longer as 1024 bit, even if
> the private key is longer (2048 bit and more are very common).
>
> The needed changes to ensure that the used cipher has at least the length
> of the private key are posted as a comment to the ticket
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56108
>
> Explained code changes:
>
> Get the Privatekey:
> pkey = SSL_get_privatekey(ssl);
> type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
>
> if the encryption algorithem is either RSA or DSA we override the given
> keylen parameter to match the length of the private key:
> keylen = EVP_PKEY_bits(pkey);
>
> This changes ensure Perfect Forward Secrecy (PFS) for DH key exchange usage.
>
> The changes is based of the lines 1339 - 1357 from the following file of
> mod_ssl:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup
>
> For a more detailed description of this problem can be found on:
> http://security.stackexchange.com/a/42816
Some more data points: the change in httpd was introduced by
http://svn.apache.org/viewvc?view=revision&revision=1542327
in November. It is a backport to httpd 2.4 from trunk of the following 5
changes:
http://svn.apache.org/viewvc?view=revision&revision=1526168
http://svn.apache.org/viewvc?view=revision&revision=1527291
http://svn.apache.org/viewvc?view=revision&revision=1527294
http://svn.apache.org/viewvc?view=revision&revision=1527295
http://svn.apache.org/viewvc?view=revision&revision=1527926
(not relevant here)
The r1527295 change contains the following change which IMHO is the one
in question:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?r1=1527295&r2=1527294&pathrev=1527295
Most of the other listed changes might be interesting as well.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Unsecure use of DH-Cipher
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Robert,
On 3/10/15 12:16 PM, Robert Paasche wrote:
> Explained code changes:
>
> Get the Privatekey:
> pkey = SSL_get_privatekey(ssl);
> type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
>
> if the encryption algorithem is either RSA or DSA we override the given
> keylen parameter to match the length of the private key:
> keylen = EVP_PKEY_bits(pkey);
I think we might also want to change the "switch" at the bottom of the
function to instead check ranges of bits rather than exact sizes.
Due to a typo in generating a certificate at some point, we had a server
certificate with a 4906-bit key. Yes, that's four-nine-oh-six bits
instead of 4096-bit.
(Note that there were some SSL stacks that couldn't handshake with us
because of inflexible acceptable key lengths.)
Given the switch statement that's in sslcontext.c, we'd end up with a
1024-bit DH key instead of the more appropriate and available 4096-bit key.
-chris
Re: Unsecure use of DH-Cipher
Posted by Robert Paasche <r....@pripares.com>.
sorry some mails dose not reach the list, i will add the information inline:
2015-03-10 18:23 GMT+01:00 Christopher Schultz <chris@christopherschultz.net
>:
> Robert,
>
> On 3/10/15 12:16 PM, Robert Paasche wrote:
> > The problem is, that openssl call the method "SSL_callback_tmp_DH" with
> > keylen value of 512 or 1024. This cause that the cipher of the ssl
> > handshake (key exchange) for a ssl-connection will never be longer as
> > 1024 bit, even if the private key is longer (2048 bit and more are very
> > common).
> >
> > The needed changes to ensure that the used cipher has at least the
> > length of the private key are posted as a comment to the
> > ticket https://bz.apache.org/bugzilla/show_bug.cgi?id=56108
> >
> > Explained code changes:
> >
> > Get the Privatekey:
> > pkey = SSL_get_privatekey(ssl);
> > type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
> >
> > if the encryption algorithem is either RSA or DSA we override the given
> > keylen parameter to match the length of the private key:
> > keylen = EVP_PKEY_bits(pkey);
>
> So if using a 4096-bit RSA key, a 4096-bit ephemeral DH key will be
> generated on the fly for the handshake? That seems excessive.
>
> It might make more sense to allow the client (Tomcat, in this case, and
> therefore the administrator who is configuring the server) to specify
> the size of the DH key size.
>
This an option too. Httpd offers alternative way to do this.
>
> > This changes ensure Perfect Forward Secrecy (PFS) for DH key exchange
> usage.
>
> Isn't DH key-exchange always PFS? The only question is of how many bits
> the ephemeral key will be.
>
>
Yes its always PFS but the question is how effective.
DH with keys of 512 and 1024 bit length are declared as insecure at least
since PRISM in 2013.
This the reasons apache httpd added the changes to mod_ssl mentioned by
rainer.
The session key will be somewhere in the 128-256 bit range, and if
> 1024-bit DH is roughly equivalent to an 80-bit symmetric key, then
> obviously that should change. But, if you have a large asymmetric key
> (e.g. 4906-bit), should the handshake really use that "much"?
> > The changes is based of the lines 1339 - 1357 from the following file of
> > mod_ssl:
> >
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup
>
> So the short answer is that httpd did this about 18 months ago:
>
>
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?r1=1510527&r2=1542327&diff_format=h
>
> Those changes were far more extensive, including the complete removal of
> ephemeral RSA, which was only available for export-quality (=garbage)
> ciphers.
>
> Perhaps we should adopt the same stance.
>
> -chris
>
>
DH with keys of 512 and 1024 bit length are declared as insecure at least
since PRISM in 2013.
This the reasons apache httpd added the changes to mod_ssl mentioned by
rainer.
For example its reduce your scoring from ssllabs.
http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html#.VP8lU1WG-X4
https://blog.cloudflare.com/cloudflare-prism-secure-ciphers/
Best,
Robert