[Bug 1197884] Re: apache2.2 SSL has no forward-secrecy: need ECDHE keys
Bug Watch Updater
1197884 at bugs.launchpad.net
Fri Jun 5 19:25:14 UTC 2015
Launchpad has imported 21 comments from the remote bug at
https://bz.apache.org/bugzilla/show_bug.cgi?id=49559.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2010-07-06T09:12:39+00:00 Erwann-abalea wrote:
Created attachment 25714
Allow admin-choosen DH parameters for DHE enabled cipher-modes
In order to be EAL4+ validated for one of our customers, Apache needs to
be able to support 2048+ bits group size for Diffie-Hellman parameters.
Right now, temporary parameters are 512 and 1024 bits only.
We can still disallow DH at all, leaving only RSA for authentication and
pre-master secret encryption, but that's a suboptimal solution, as we
then loose forward secrecy.
Adding a 2048 bits DH temporary key into mod_ssl is not possible, since
OpenSSL would only ask for a 512/1024 bits one, depending on the
"exportability" of the choosen ciper-mode.
This patch adds a new configuration directive, "SSLDHParametersFile <file>", allowing the administrator to supply its own Diffie-Hellman parameters ("openssl dhparam 2048 > dhparam2048.pem" to generate 2048 bits ones, for example).
If this directive is specified and parameters are found in the supplied file, then these parameters will be used whenever DHE is used to negociate the pre-master secret. If this directive is not used, then it works like it does now, leaving OpenSSL ask mod_ssl for a set of parameters of the desired size (512 or 1024 bits).
We'd like this to be evaluated, discussed, and if possible, applied.
Regards.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/0
------------------------------------------------------------------------
On 2012-04-30T18:22:51+00:00 Erwann-abalea wrote:
Created attachment 28699
Updated patch for 2.4.2
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/1
------------------------------------------------------------------------
On 2012-04-30T18:29:45+00:00 Erwann-abalea wrote:
A new version of the patch has been provided, based on httpd 2.4.2.
When generating your own DH parameters, add the "-dsaparam" option to openssl commandline, this speeds up the handshake by about 15% for a 1024bits prime to 30% for a 2048bits prime.
With "-dsaparam" option, the private key is limited to 160 bits for a <2048bits prime, and 256 bits for a >=2048bits one. You then have 80bits of security for a 1024bits prime, but based on NFS results you can't get much.
2048bits prime with a 256bits private key length gives you 128bits of security.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/2
------------------------------------------------------------------------
On 2013-06-24T17:09:10+00:00 Michaelm12-asfbugzilla wrote:
Any idea on when this might make it into 2.4.x or 2.2.x?
Many thanks.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/3
------------------------------------------------------------------------
On 2013-07-21T22:45:20+00:00 Frazzzzze wrote:
I would like to see this added to 2.2.x and 2.4.x too!
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/6
------------------------------------------------------------------------
On 2013-08-04T18:10:23+00:00 Geoffroy+dev wrote:
In addition, Elliptic Curve choice should also be given to the server
admin in a similar way (e.g. SSLCurveList <enabled_curve_list> ). Tell
the admin to execute 'openssl ecparam -list_curves' to get a list of the
supported curves.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/8
------------------------------------------------------------------------
On 2013-08-16T08:47:13+00:00 Christoph_vW wrote:
Would someone please apply this patch to 2.2.x and 2.4.x ... ?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/9
------------------------------------------------------------------------
On 2013-08-16T08:53:33+00:00 Harald-dunkel-r wrote:
I'd love to see this added to 2.2.x and 2.4.y
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/10
------------------------------------------------------------------------
On 2013-09-08T08:10:11+00:00 Asfbugz wrote:
Created attachment 30804
PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and 2.4.x)
I'm fine with the idea, but the implementation in the patches submitted
so far is too complex, in my opinion (in particular the
SSL_read_DHparams stuff, which tries to support/read three different
formats).
Here is an alternative proposal:
- only support PEM-formatted parameters (-----BEGIN DH PARAMETERS---- /
-----END DH PARAMETERS-----)
- use the existing SSLCertificateFile directive to support per-vhost,
custom DHE and ECDHE parameters
Attached is a - lightly tested - proof of concept, to be applied to
either trunk or 2.4.x... testing and feedback welcome. To specify EC
curve names, append the output of "openssl ecparam -name secp521r1" or
your favorite curve to SSLCertificateFile (of course the docs for
SSLCertificateFile would have to be extended, if there is a general
agreement on taking this approach).
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/11
------------------------------------------------------------------------
On 2013-09-08T12:15:59+00:00 Erwann-abalea wrote:
(In reply to Kaspar Brand from comment #8)
> Created attachment 30804 [details]
> PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and
> 2.4.x)
>
> I'm fine with the idea, but the implementation in the patches submitted so
> far is too complex, in my opinion (in particular the SSL_read_DHparams
> stuff, which tries to support/read three different formats).
This function is similar to SSL_read_X509 and SSL_read_PrivateKey
defined in the same file, and used by the module to read the
corresponding objects.
That said, I'm not fluent in Apache internals, and I admit some things
may have been done more easily. I tried to mimic how already existing
elements (keys and certs) were declared, registered and used, when
adding a new element type (DHParams).
> - use the existing SSLCertificateFile directive to support per-vhost, custom
> DHE and ECDHE parameters
The original patch is also vhost-aware.
It doesn't know about ECDHE, that's true. That wasn't critical at that time (2010) because nobody used ECDHE, and even today the used curve is the standard NIST P256, offering 128bits of security in theory. Since a few weeks, some people want to be able to specify the curve used, there's nothing wrong with that.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/12
------------------------------------------------------------------------
On 2013-09-08T15:25:43+00:00 Hiding-l wrote:
(In reply to Kaspar Brand from comment #8)
I applied your patch in my testing environment with httpd-2.4.6 and it
works as advertised. After appending DH parameters to the certificate
file, all DH ciphers were using the expected key size.
I found it a bit confusing that you actually have to put the params
alongside your certificate into one file. One has to pay more attention
to these additional settings on changing the certificate.
But if it is actually way more easy to implement DH / ECDHE parameters
this way, then it is probably the way to go.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/13
------------------------------------------------------------------------
On 2013-09-15T10:48:04+00:00 Asfbugz wrote:
(In reply to Erwann Abalea from comment #9)
> This function is similar to SSL_read_X509 and SSL_read_PrivateKey defined in
> the same file, and used by the module to read the corresponding objects.
Perhaps this is an opportunity to clean up some mod_ssl cruft... I just
took an extended proposal to the mailing list, to stir some further
discussion:
http://mail-archives.apache.org/mod_mbox/httpd-
dev/201309.mbox/%3C52358ED1.2070704 at velox.ch%3E
Additionally, I think we should consider to use 2048-bit DH parameters
by default if the cert's RSA/DSA key is 2048 bits or more (so that
sysadmin's don't have to generate their custom DH parameters to get more
than 1024 bits for DHE). Changing this by default is probably debatable,
and therefore another reason I'm taking it to the list.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/15
------------------------------------------------------------------------
On 2013-09-15T14:23:33+00:00 Frazzzzze wrote:
DH-parameters should always be at least the same size as the SSL certificate, so if I use 4096 or even 8192 bit for the certificate a DH parameter with only 2048 bit would effectively weaken the whole connection down to 2048 bit, which we don't want and in a few years we would have the exactly same situation ( DH parameters too weak and not FULLY selectable) as we do right now
So please consider this and let the admin choose freely, but at least make sure DH parameters bits are never smaller than SSL certificate bits!
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/16
------------------------------------------------------------------------
On 2013-09-29T10:49:16+00:00 Asfbugz wrote:
Comment on attachment 30804
PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and 2.4.x)
For trunk, this issue has been addressed with r1527295 (with updated
documentation under
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatefile).
A backport proposal for 2.4.x will likely follow.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/17
------------------------------------------------------------------------
On 2013-10-01T17:32:51+00:00 Asfbugz wrote:
Backport to 2.4.x proposed with r1528154. Patch available at
https://people.apache.org/~kbrand/mod_ssl-2.4.x-ekh.diff.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/18
------------------------------------------------------------------------
On 2013-10-20T22:36:27+00:00 Nick Le Mouton wrote:
The patch https://people.apache.org/~kbrand/mod_ssl-2.4.x-ekh.diff seems
to break TLS 1.1 and 1.2 on my setup (RHEL 6.x, apache 2.4.6, openssl
1.0.1e). I haven't had a chance to look into it further, but using
ssllabs.com it no longer showed me as supporting > TLS 1.0
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/22
------------------------------------------------------------------------
On 2013-10-20T23:25:10+00:00 Nick Le Mouton wrote:
Sorry, was a config error on my side. Patch works well.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/23
------------------------------------------------------------------------
On 2013-11-01T03:19:34+00:00 dkg wrote:
I'm glad to see this patch being backported to 2.4. What are the
considerations for backporting it to the 2.2.x branch as well?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/24
------------------------------------------------------------------------
On 2013-11-27T06:28:14+00:00 Asfbugz wrote:
Comment on attachment 28699
Updated patch for 2.4.2
Marking as obsolete, since a different approach has been implemented in
2.4.x.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/26
------------------------------------------------------------------------
On 2013-11-27T06:29:16+00:00 Asfbugz wrote:
Fixed in 2.4.7 with r1542327.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/27
------------------------------------------------------------------------
On 2015-06-01T16:42:11+00:00 Ylavic-dev wrote:
Backported to 2.2.30 in r1680916.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/comments/41
** Changed in: apache2
Status: Unknown => Fix Released
** Changed in: apache2
Importance: Unknown => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE keys
Status in Apache2 Web Server:
Fix Released
Status in apache2 package in Ubuntu:
Fix Released
Status in apache2 source package in Precise:
Fix Released
Status in apache2 package in Debian:
Fix Released
Bug description:
In the light of recent revelations about Prism/NSA/GCHQ etc, it is
more important than ever to keep SSL secure.
But... as far as I can tell, there exists no combination of SSL cIphers that satisfies all of:
* Resistant to the BEAST attack
* Has Perfect Forward Secrecy
* Is in Apache 2.2
[I'm testing with: https://www.ssllabs.com/ssltest/analyze.html ]
The only solution seems to be to deploy Apache 2.4 (or backport the
ECDHE ciphers into the 2.2 package).
Can I suggest therefore that the lack of Apache 2.4 packages
represents a serious security vulnerability to people visiting
websites hosted on Ubuntu.
This affects every currently released Ubuntu distro (including
raring). There is still no pacakge of apache 2.4, nor is there a
backport of the ECDHE feature. There are some PPAs of 2.4, but these
aren't maintained with security updates, nor do they support mod_php.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1197884/+subscriptions
More information about the Ubuntu-sponsors
mailing list