Hello everyone, I’m hardening HAProxy for CVE-2002-20001 (DHEAT attack) at the moment.
For TLS 1.2 I’m using the “tune.ssl.default-dh-param” option to limit the key size to 2048 bit so that an attacker can’t force huge keys and thus lots of CPU cycles on the server. However, I’ve noticed that the property has no effect on TLS 1.3 connections. An attacker can still negotiate an 8192-bit key and brick the server with relative ease. I’ve found an OpenSSL blog article about the issue: https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/index.html As it seems, this used to be a non-issue with OpenSSL 1.1.1 because it only supported EC groups, not finite field ones but in OpenSSL 3.x it is again possible to select the vulnerable groups, even with TLS 1.3. The article mentions a way of configuring OpenSSL with a “Groups” setting to restrict the number of supported DH groups, however I haven’t found any HAProxy config option equivalent. The closest I’ve gotten is the “curves” property: https://docs.haproxy.org/2.8/configuration.html#5.1-curves However, I think it only restricts the available elliptic curves in a ECDHE handshake, but it does not prevent a TLS 1.3 client from selecting a non-ECDHE prime group, for example “ffdhe8192”. The article provides example configurations for NGINX and Apache, but is there any way to restrict the DH groups (e.g to just ECDHE) for TLS 1.3 for HAProxy, too? Best Regards, Dominik
