Diffie-Hellman group parameters 1024 bit and Perfect Forward Secrecy
Hi, There has been lately some attention to perfect forward secrecy in TLS, mainly due to an article on netcraft: http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html What worries me is that apache still fixes the DH group size to 1024 bit. If one uses an RSA key with, e.g., 2048 bit, then using a DHE TLS cipher will actually "downgrade" the security of the connection. DLP or factoring-based public key cryptography with 1024 bit has been known to be potentially week for quite some time now. NIST recommended to phase out 1024 bit keys by 2010. (we don't have a "key" here, but the security of a DHE group with 1024 bit is equivalent to a 1024 bit DSA key) There's been a patch in bugzilla for a while to allow user-defined DH parameters, however it hasn't gotten any attention by apache developers yet: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559 I'd like to ask apache devs to raise some attention to this issue. I think user-defined dh groups would be a good thing, but probably the default should also be raised to e.g. 2048 bit. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: Diffie-Hellman group parameters 1024 bit and Perfect Forward Secrecy
Hi, I agree that the configuration of DH parameters should be possible from within Apache. Ideally the configuration should allow the size of random DH Parameters to be chosen and also allow the user to provide a preconfigured DH Parameter file. This patch should be included into 2.2 and 2.4, and of course 2.5-dev :) Many thanks, Mike On 28/06/2013 08:46, Hanno Böck wrote: Hi, There has been lately some attention to perfect forward secrecy in TLS, mainly due to an article on netcraft: http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html What worries me is that apache still fixes the DH group size to 1024 bit. If one uses an RSA key with, e.g., 2048 bit, then using a DHE TLS cipher will actually "downgrade" the security of the connection. DLP or factoring-based public key cryptography with 1024 bit has been known to be potentially week for quite some time now. NIST recommended to phase out 1024 bit keys by 2010. (we don't have a "key" here, but the security of a DHE group with 1024 bit is equivalent to a 1024 bit DSA key) There's been a patch in bugzilla for a while to allow user-defined DH parameters, however it hasn't gotten any attention by apache developers yet: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559 I'd like to ask apache devs to raise some attention to this issue. I think user-defined dh groups would be a good thing, but probably the default should also be raised to e.g. 2048 bit. cu,
Re: Diffie-Hellman group parameters 1024 bit and Perfect Forward Secrecy
How about making ECDH parameters configurable from within Apache too? On 28/06/13 09:57, MikeM wrote: Hi, I agree that the configuration of DH parameters should be possible from within Apache. Ideally the configuration should allow the size of random DH Parameters to be chosen and also allow the user to provide a preconfigured DH Parameter file. This patch should be included into 2.2 and 2.4, and of course 2.5-dev :) Many thanks, Mike On 28/06/2013 08:46, Hanno Böck wrote: Hi, There has been lately some attention to perfect forward secrecy in TLS, mainly due to an article on netcraft: http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html What worries me is that apache still fixes the DH group size to 1024 bit. If one uses an RSA key with, e.g., 2048 bit, then using a DHE TLS cipher will actually "downgrade" the security of the connection. DLP or factoring-based public key cryptography with 1024 bit has been known to be potentially week for quite some time now. NIST recommended to phase out 1024 bit keys by 2010. (we don't have a "key" here, but the security of a DHE group with 1024 bit is equivalent to a 1024 bit DSA key) There's been a patch in bugzilla for a while to allow user-defined DH parameters, however it hasn't gotten any attention by apache developers yet: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559 I'd like to ask apache devs to raise some attention to this issue. I think user-defined dh groups would be a good thing, but probably the default should also be raised to e.g. 2048 bit. cu, -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
Re: Diffie-Hellman group parameters 1024 bit and Perfect Forward Secrecy
It could be done, yes. However, it's slightly less necessary, as right now prime256v1 curve is the default one, and it's a secure one (until Dan Bernstein publishes his paper about NIST curves). On high-volume websites, some may be tempted to switch to prime224v1 if it was possible; it's twice as fast and still offers 112 bits of security. The overall gain would be marginal, though. I haven't dived yet into ECDHE and TLS negotiation to see if other curves can be supported (the brainpool ones, for example). In his last blog post, Ben Laurie has good concerns regarding the SessionTicket keys (renew them often, don't write them to disk). 2013/6/28 Rob Stradling : > How about making ECDH parameters configurable from within Apache too? > > On 28/06/13 09:57, MikeM wrote: >> >> Hi, >> >> I agree that the configuration of DH parameters should be possible from >> within Apache. Ideally the configuration should allow the size of random >> DH Parameters to be chosen and also allow the user to provide a >> preconfigured DH Parameter file. >> >> This patch should be included into 2.2 and 2.4, and of course 2.5-dev :) >> >> Many thanks, >> Mike >> >> On 28/06/2013 08:46, Hanno Böck wrote: >>> >>> Hi, >>> >>> There has been lately some attention to perfect forward secrecy in TLS, >>> mainly due to an article on netcraft: >>> >>> http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html >>> >>> >>> What worries me is that apache still fixes the DH group size to 1024 >>> bit. If one uses an RSA key with, e.g., 2048 bit, then using a DHE TLS >>> cipher will actually "downgrade" the security of the connection. >>> >>> DLP or factoring-based public key cryptography with 1024 bit has been >>> known to be potentially week for quite some time now. NIST recommended >>> to phase out 1024 bit keys by 2010. >>> (we don't have a "key" here, but the security of a DHE group with 1024 >>> bit is equivalent to a 1024 bit DSA key) >>> >>> There's been a patch in bugzilla for a while to allow user-defined DH >>> parameters, however it hasn't gotten any attention by apache developers >>> yet: >>> https://issues.apache.org/bugzilla/show_bug.cgi?id=49559 >>> >>> I'd like to ask apache devs to raise some attention to this issue. I >>> think user-defined dh groups would be a good thing, but probably the >>> default should also be raised to e.g. 2048 bit. >>> >>> cu,
Re: Diffie-Hellman group parameters 1024 bit and Perfect Forward Secrecy
On 28/06/2013 10:31, Rob Stradling wrote: > How about making ECDH parameters configurable from within Apache too? > The current technique of hard coding the ECDH parameters isn't correct but it's the best release versions of OpenSSL can do. The unreleased OpenSSL 1.0.2 can be configured to use the client's supported curve list extension to automatically use the highest preference curve. Optionally server curve preferences can be set too. OpenSSL 1.0.2 also includes some generalised configuration code which means any application which uses the SSL configuration API (there is provisional code for this in 2.5-dev) can be configured using the SSLOpenSSLConfCmd directive. ECDH curves (and many other things) can be set this way. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: mod_lua in 2.4 CHANGES
On Jun 28, 2013, at 2:18 AM, Rainer Jung wrote: > On 28.06.2013 03:59, Guenter Knauf wrote: >> On 28.06.2013 01:03, Rainer Jung wrote: >>> Hi Daniel and/or Günter, >>> >>> can you have a look at the trunk CHANGES file and move the lua items >>> that should now be in 2.4 to the 2.4 CHANGES file? We forgot that when >>> we synced 2.4 with trunk and it would be nice to have them in the 2.4 >>> file before 2.4.5 gets tagged. >> well, I was lazy and did only mention the few new functions I added in >> 2.4 after all were backported - so nothing to move :-P >> but I didnt keep track of the various bugfixes we did ... > > Yeah those lazy lua guys, I think we should switch back to RTC ;) > > I moved and cleaned up everything. More eyes welcome. > LOL thx!
[quickpoll] bundle apr-util 1.4.1 or 1.5.2 with httpd 2.2.25?
Just wanted to know the opinion of some of you who are on email today. [ ] stay at apr-util 1.4.1 (last 1.4 release) [ ] jump up to apr-util 1.5.2 (now that it is more stable)
Re: [quickpoll] bundle apr-util 1.4.1 or 1.5.2 with httpd 2.2.25?
William A. Rowe Jr. wrote: > Just wanted to know the opinion of some of you who are on email today. > > [ ] stay at apr-util 1.4.1 (last 1.4 release) > [ X ] jump up to apr-util 1.5.2 (now that it is more stable) > > Regards Rüdiger
Re: [quickpoll] bundle apr-util 1.4.1 or 1.5.2 with httpd 2.2.25?
On Fri, Jun 28, 2013 at 1:55 PM, William A. Rowe Jr. wrote: > Just wanted to know the opinion of some of you who are on email today. > > [ ] stay at apr-util 1.4.1 (last 1.4 release) > [ ] jump up to apr-util 1.5.2 (now that it is more stable) > > [X] jump up to apr-util 1.5.2 (now that it is more stable) -- Born in Roswell... married an alien... http://emptyhammock.com/
Re: [quickpoll] bundle apr-util 1.4.1 or 1.5.2 with httpd 2.2.25?
On 28.06.2013 19:55, William A. Rowe Jr. wrote: > Just wanted to know the opinion of some of you who are on email today. > > [ ] stay at apr-util 1.4.1 (last 1.4 release) > [X] jump up to apr-util 1.5.2 (now that it is more stable) Rainer
[VOTE] Release 2.0.65 [the final frontier]
Candidates are in http://httpd.apache.org/dev/dist/ +/-1 [ ] Release 2.0.65 as the final 2.0 series package TIA!
[VOTE] Release 2.2.25
Candidates are in http://httpd.apache.org/dev/dist/ +/-1 [ ] Release 2.2.25 (apr 1.4.8, apr-util 1.5.2) TIA!
