Currently, the SSL_CTX_set_tmp_dh_callback() function is used to define a callback to retrieve DH parameters for SSL connections. Unfortunately, as a side-effect of the OpenSSL implementation, this means that only 1024 bit DH keys are used [1]. It's probably better to provide the user with an option to explicitly set the DH parameters (generated using openssl dhparam), which makes it possible to use DH parameters over 1024 bits. SSL_CTX_set_tmp_dh() can be used for this. [1] https://groups.google.com/forum/#!topic/mailing.openssl.users/UmdbGRFsFmY
This would not change anything. The real solution (based on mod_ssl) would to change the callbackmethod to: DH *SSL_callback_tmp_DH(SSL *ssl, int export, int keylen) { EVP_PKEY *pkey; int type; pkey = SSL_get_privatekey(ssl); type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; /* * OpenSSL will call us with either keylen == 512 or keylen == 1024 * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). * Adjust the DH parameter length according to the size of the * RSA/DSA private key used for the current connection. */ if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) { keylen = EVP_PKEY_bits(pkey); } int idx; switch (keylen) { case 512: idx = SSL_TMP_KEY_DH_512; break; case 2048: idx = SSL_TMP_KEY_DH_2048; break; case 4096: idx = SSL_TMP_KEY_DH_4096; break; case 1024: default: idx = SSL_TMP_KEY_DH_1024; break; } return (DH *)SSL_temp_keys[idx]; }
Removed switch key, to handle more private keylenght (e.g. 3072 bits). DH *SSL_callback_tmp_DH(SSL *ssl, int export, int keylen) { EVP_PKEY *pkey; int type; pkey = SSL_get_privatekey(ssl); type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; /* * OpenSSL will call us with either keylen == 512 or keylen == 1024 * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). * Adjust the DH parameter length according to the size of the * RSA/DSA private key used for the current connection. */ if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) { keylen = EVP_PKEY_bits(pkey); } int idx = SSL_TMP_KEY_DH_512; if (keylen > 2048) { idx = SSL_TMP_KEY_DH_4096; } else if (keylen > 1024) { idx = SSL_TMP_KEY_DH_2048; } else if (keylen > 512) { idx = SSL_TMP_KEY_DH_1024; } return (DH *)SSL_temp_keys[idx]; }
I have ported the current mod_ssl code from httpd to tcnative with the following features: - by default use the same size for DH as the key used in the certificate. So certificate strength reflects in key exchange strengths. - optionally you can generate your own DH params using "opsnssl dhparam" and add them into the certificate file. We will find the data there automatically (if present) and use these params instead. A docs update will follow soon. I guess with these improvements we can fix this issue here as soon as the next tcnative 1.1.34 gets released.
Is this part of tcnativ 1.2.x ?
Yes. A release vote for the first public release 1.2.2 is in progress. The release should be available in a few days.
Hi Rainer, 1.2.2 has been released (http://tomcat.apache.org/native-doc/miscellaneous/changelog.html). I cannot see the changes you have made. Has this been postponed to 1.2.3?
It is in 1.2.2, but the change had already also been backported to the 1.1 branch for the forthcoming 1.1.34. The changelog of 1.2.2 starts on top of 1.1 but unfirtunately not on top of the last released 1.1.33 but the 1.1. changelog as it was when 1.2.0 was cut. So some changes are missing in the changelog for 1.2.2. Especially: <update> Unconditionally disable export Ciphers. Use the configure flag --enable-insecure-export-ciphers for a custom build supporting those insecure ciphers. (rjung) </update> <update> Improve ephemeral key handling for DH and ECDH. Parameter strength is by default derived from the certificate key strength. It can be overwritten by embedding custom parameters in the certificate file configured with <code>SSLCertificateFile</code>. (rjung) </update> The second one is the one you are looking for. It works the same way as in Apache httpd mod_ssl. Regards, Rainer
Hi Rainer, it sounds like this fix is in 1.2.2, but missed in the changelog and will be in the upcoming 1.1.34. Is this a correct summary? If so, can the changelog for 1.2.2 be updated to include these notes? Also, do you know when 1.1.34 is scheduled to be released?
We have recently upgraded to Tomcat 6.0.45 which has libtcnative 1.1.34 included. I scanned the endpoint with sslscan and I can confirm that DHE is now serverd with 2048 bits. Rainer, thank you very much for the patch. This is fixed for me.
Thanks for the feedback, closing as fixed.