On Tuesday, 3 January 2023 11:33:39 CET, Peter Gutmann wrote:
Hubert Kario <hka...@redhat.com> writes:
It's also easy and quick to verify that the server *is* behaving correctly
and thus is not exploitable.
It's also a somewhat silly issue to raise, if we're worried about a server
using deliberately broken FFDHE parameters then why aren't we worried about
the server leaking its private key through the server random,
or posting it to
Pastebin, or sending a copy of the session plaintext to virusbucket.ru? If
the server's broken it's broken and there's not much a client
can do about it.
Because there are software stacks that allow configuration of arbitrary
parameters for FFDH (see GnuTLS, OpenSSL), and there are software stacks
that
generate one public key share and reuse it for a long time, or allow
configuration of this kind of behaviour (see old OpenSSL, NSS for ECDHE).
So this kind of server behaviour may be a reason of misconfiguration, not
malicious behaviour. Misconfiguration that might have been caused by bad
advice or desire to optimise performance and then just cargo-culted to this
day.
In short: because this kind of behaviour may be a result of an error rather
than
malice.
So it's worth checking for when auditing server configuration.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
