tls: make server not use DHE in less than 1024bits for fix agaist Logjam Attack #1739
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
As this is a security patch (?), does this cheat the semver major cycle? |
|
Yes, this is a security patch but it is a similar kind of the fix for limiting cipher suites we did before. We did not change semver in changing the default cipher suite so I think this follows it. |
|
Update the doc description to recommend to use 2048bits or more. |
|
A quick question: when 1024 bits will be not safe, will you make a similar patch to make it throw an error then? Maybe it would be reasonable to print a warning to stderr in advance (maybe even now) for 1024 bits so less people will get surprised when that will be turned into an error? |
| Its key length should be greater than or equal to 1024bits, otherwise | ||
| it throws an error. It is recommended to use 2048bits or more for | ||
| enough strong security. If omitted or invalid, it is silently | ||
| discarded and DHE ciphers won't be available. |
There was a problem hiding this comment.
s/1024bits/1024 bits/, ditto for 2048bits.- I would
s/recommended/strongly recommended/and maybe add a warning that someday we're going to enforce it. s/enough strong security/stronger security/
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later.
|
@ChALkeR Printing WARNING is a good idea to me. Updated it in this PR. @bnoordhuis Updated according your comments. My editor was wired when I wrote assert.throws. I also found a bug of my tests that the 512 bits test does not invoke the next test. PTAL. |
| @@ -757,6 +757,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) { | |||
| if (dh == nullptr) | |||
| return; | |||
|
|
|||
| int keylen = BN_num_bits(dh->p); | |||
There was a problem hiding this comment.
Suggestion: make keylen const.
|
LGTM A suggestion for a follow-up PR: print the warning from JS land with |
|
LGTM |
shigeki
pushed a commit
that referenced
this pull request
May 20, 2015
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: #1739 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
|
@bnoordhuis @indutny Thanks for reviewing. Landed in 9b35be5 with Ben's suggestion to add const for kenlen. For console.trace, I will work it with a client fix later. |
Fishrock123
pushed a commit
to Fishrock123/node
that referenced
this pull request
May 21, 2015
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: nodejs#1739 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
May 23, 2015
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss) nodejs#1779. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
May 23, 2015
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) nodejs#1699 nodejs#1768 nodejs#1779. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
May 23, 2015
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) nodejs#1699 nodejs#1768 nodejs#1779. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
May 24, 2015
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) nodejs#1699 nodejs#1768 nodejs#1779. * npm: Upgraded to v2.10.1, release notes can be found in https://github.com/npm/npm/releases/tag/v2.10.1 and https://github.com/npm/npm/releases/tag/v2.10.0. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
rvagg
added a commit
that referenced
this pull request
May 24, 2015
PR-URL: #1777 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) #1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) #1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) #1699 #1768 #1779. * npm: Upgraded to v2.10.1, release notes can be found in https://github.com/npm/npm/releases/tag/v2.10.1 and https://github.com/npm/npm/releases/tag/v2.10.0. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) #1749.
shigeki
pushed a commit
to shigeki/node
that referenced
this pull request
May 30, 2015
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
shigeki
pushed a commit
to shigeki/node
that referenced
this pull request
Jun 1, 2015
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
shigeki
pushed a commit
to shigeki/node
that referenced
this pull request
Jun 1, 2015
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
shigeki
pushed a commit
to shigeki/node
that referenced
this pull request
Jun 1, 2015
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
andrewdeandrade
pushed a commit
to andrewdeandrade/node
that referenced
this pull request
Jun 3, 2015
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: nodejs/node#1739 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
shigeki
pushed a commit
to shigeki/node
that referenced
this pull request
Jun 12, 2015
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: nodejs#1739 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
This was referenced Jun 23, 2015
shigeki
pushed a commit
to shigeki/node
that referenced
this pull request
Aug 27, 2015
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
shigeki
pushed a commit
that referenced
this pull request
Oct 16, 2015
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in #1739. PR-URL: #1831 Reviewed-By: indutny - Fedor Indutny <[email protected]> Reviewed-By: bnoordhuis - Ben Noordhuis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later.
What do about for clients? We can obtain DHE keylength via
SSL_get_server_tmp_key()but I think we'd better to have an new options to limit the DHE key size with 1024bits default. Thoughts?CI results are https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/697/. It looks fine except jenkins, child_process and sync-io-option error.
R= @bnoordhuis @indutny