I'd try openssl.cnf чт, 2 мая 2024 г. в 17:17, Froehlich, Dominik <dominik.froehl...@sap.com>:
> Hello everyone, > > > > I’m hardening HAProxy for CVE-2002-20001 (DHEAT attack) at the moment. > > > > For TLS 1.2 I’m using the “tune.ssl.default-dh-param” option to limit the > key size to 2048 bit so that an attacker can’t force huge keys and thus > lots of CPU cycles on the server. > > > > However, I’ve noticed that the property has no effect on TLS 1.3 > connections. An attacker can still negotiate an 8192-bit key and brick the > server with relative ease. > > > > I’ve found an OpenSSL blog article about the issue: > https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/index.html > > > > As it seems, this used to be a non-issue with OpenSSL 1.1.1 because it > only supported EC groups, not finite field ones but in OpenSSL 3.x it is > again possible to select the vulnerable groups, even with TLS 1.3. > > > > The article mentions a way of configuring OpenSSL with a “Groups” setting > to restrict the number of supported DH groups, however I haven’t found any > HAProxy config option equivalent. > > > > The closest I’ve gotten is the “curves” property: > https://docs.haproxy.org/2.8/configuration.html#5.1-curves > > > > However, I think it only restricts the available elliptic curves in a > ECDHE handshake, but it does not prevent a TLS 1.3 client from selecting a > non-ECDHE prime group, for example “ffdhe8192”. > > > > The article provides example configurations for NGINX and Apache, but is > there any way to restrict the DH groups (e.g to just ECDHE) for TLS 1.3 for > HAProxy, too? > > > > > > Best Regards, > > Dominik >
