On 03/13/2014 04:05 PM, Kurt Roeckx wrote: > On Thu, Mar 13, 2014 at 03:13:01PM -0400, Daniel Kahn Gillmor wrote: >> In theory, users of OpenSSL as a TLS client are already able to query >> the size of the DH key exchange for any given connection, and can choose >> to terminate it if they object to the size of the group (or any other >> properties of the group). > > Last time I looked this information is in an internal structure > not exposed to the client.
hm, i also never figured out how a client is could possibly do it, which suggests even more strongly that OpenSSL is failing to keep its users secure. But even if it turns out that there is some way that the client can get to this information (as there is in other libraries, e.g. gnutls_dh_get_prime_bits()), i don't think we can or should expect each application to do this for each connection. OpenSSL needs to default to a mode where the connection is secure, and only move out of that if the user or application explicitly loosens the security along some specific axis (e.g. an SMTP daemon explicitly enabling anonymous ciphersuites as discussed in the TLS WG right now). --dkg
signature.asc
Description: OpenPGP digital signature