We noticed the same thing and would also recommend that the openssl client
reject small DH groups.
This would complement the strong validity checks that openssl already by e.g.
checking primality and rejecting invalid public keys.
On the precise number of minimum bits, please note that IIS uses a static
768-bit Diffie Hellman prime, specifically Group 1 from IKEv2 (rfc5996,
appendix B.1)/
I suspect a number of other servers may do the same; hence the numbers you see
for NSS and GnuTLS.
Best,
Karthik
On Nov 6, 2013, at 5:44 AM, Daniel Kahn Gillmor wrote:
> I noticed recently that OpenSSL as a client is happy to connect to a
> server that offers a trivially-crackable DH group.
>
> You can try it out at https://demo.cmrg.net/
>
> Other modern TLS implementations will refuse to connect to this server
> because the DHE group is only 16 bits. OpenSSL happily connects and
> does not inform the user that their expected message authenticity and
> confidentiality and integrity guarantees are not being met. I consider
> this a security failure in the key exchange, just as i would consider it
> a failure for OpenSSL to silently accept a known-broken cipher or MAC
> from its peer.
>
> I'd like to propose that the OpenSSL client implementation reject
> connections to peers that offer DH groups < 1024 bits, rather than
> failing open. The attached patch should have this effect.
>
> Other free software TLS implementations already have limits on DH group
> size below which the TLS client refuses DHE connections:
>
> * GnuTLS ~760 bits
> * polarssl 512 bits
> * NSS 512 bits
>
> Despite being stronger than OpenSSL currently is here, most of these
> limits are still too weak to consider even for legacy use, according to
> recent recommendations such as:
>
> http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report
>
> P.34 there indicates that 1024 bits for DLP is the limit of
> acceptability for "legacy" systems, and that for "near term" resistance,
> 3072 bits is recommended.
>
> Thoughts?
>
>--dkg
>
> Here's the patch, which i'll file on RT shortly:
>
>
> Author: Daniel Kahn Gillmor
> Date: Tue Nov 5 19:37:22 2013 -0500
>
>require DH group of 1024 bits
>
>Reject connections to TLS servers that select DH key exchange but
>offer a weak DH group.
>
> diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
> index bf1ef47..ef638c4 100644
> --- a/ssl/s3_clnt.c
> +++ b/ssl/s3_clnt.c
> @@ -3481,6 +3481,12 @@ int ssl3_check_cert_and_algorithm(SSL *s)
>
> SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
> goto f_err;
> }
> +else if ((alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) &&
> + (dh == NULL || DH_size(dh)*8 < 1024))
> + {
> + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_WEAK_DH_GROUP);
> + goto f_err;
> + }
> #ifndef OPENSSL_NO_DSA
> else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
> !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
> diff --git a/ssl/ssl.h b/ssl/ssl.h
> index 472e070..3ea316c 100644
> --- a/ssl/ssl.h
> +++ b/ssl/ssl.h
> @@ -3062,6 +3062,7 @@ void ERR_load_SSL_strings(void);
> #define SSL_R_UNSUPPORTED_SSL_VERSION 259
> #define SSL_R_UNSUPPORTED_STATUS_TYPE 329
> #define SSL_R_USE_SRTP_NOT_NEGOTIATED 369
> +#define SSL_R_WEAK_DH_GROUP 371
> #define SSL_R_WRITE_BIO_NOT_SET260
> #define SSL_R_WRONG_CERTIFICATE_TYPE 383
> #define SSL_R_WRONG_CIPHER_RETURNED261
> diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
> index 9889a27..a97b4b5 100644
> --- a/ssl/ssl_err.c
> +++ b/ssl/ssl_err.c
> @@ -612,6 +612,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
> {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
> {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
> {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"},
> +{ERR_REASON(SSL_R_WEAK_DH_GROUP) ,"weak dh group"},
> {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},
> {ERR_REASON(SSL_R_WRONG_CERTIFICATE_TYPE),"wrong certificate type"},
> {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME cryptographic signature