httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Possible mod_ssl's backports to 2.2.x? (was: Looking ahead to 2.4.13 / 2.2.30)
Date Tue, 05 May 2015 18:03:01 GMT
Please note that the primes constants in modules/ssl/ssl_engine_dh.c
are from openssl/crypto/bn/bn_const.c.
FWIW, attached is a (stripped) diff between the two files that shows
constants are the same...

On Tue, May 5, 2015 at 7:12 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> Possible backport patch attached.
>
> On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>> I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
>> for backport to 2.2.x (in reverse order):
>>
>>   *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
>>      larger keys and support up to 8192-bit keys.  [Ruediger Pluem,
>>      Joe Orton]
>>
>>   *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
>>      allowing custom parameters to be configured via SSLCertificateFile,
>>      and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
>>      Unless custom parameters are configured, the standardized parameters
>>      are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
>>
>>   *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
>>
>>   *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
>>      keys, and unconditionally disable aNULL, eNULL and EXP ciphers
>>      (not overridable via SSLCipherSuite). [Kaspar Brand]
>>
>> or at least partly.
>>
>> Beyond the (problematic?) requirement on OpenSSL 0.9.8a (discussed
>> below), and what may look like an improvement only (first one), there
>> are also security considerations:
>> - ephemeral DH keys (for EDH ciphers) are currently limited to 1024
>> bits in 2.2.x, so with 2048 bits or more certificates (quite
>> recommended today), one should use its own dhparams for (E)DH ciphers,
>> - ecparams loadable from certificate allow to configure the curve/key
>> (plus SSL_CTX_set_ecdh_auto() when openssl >= 1.0.2),
>> - export grade ciphers (removed from openssl's maintained versions)
>> are still in use with default/general configurations (FREAK, ...).
>>
>> Regarding requirement on OpenSSL 0.9.8a (what's the actual requirement
>> in 2.2.x?), if that's really a stopper, it only concerns the use of
>> get_rfc{2409,3526}_prime_{1024,2048,..}() introduced in 0.9.8a
>> (AFAICT), and we could eventually include (statically) that primes in
>> the code for versions < 0.9.8a.
>> But is there real 2.2.x user with OpenSSL < 0.9.8a?
>>
>> Also, those changes are effective since 2.4.7, and hence are quite
>> largely tested already.
>>
>> Any pros/cons/comments before I try to resolve (hopefully) small conflicts?
>>
>> Regards,
>> Yann.

Mime
View raw message