Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: Transport_Layer_Security_Cheat_Sheet #1453

Closed
nmav opened this issue Jul 24, 2024 · 1 comment
Closed

Update: Transport_Layer_Security_Cheat_Sheet #1453

nmav opened this issue Jul 24, 2024 · 1 comment
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@nmav
Copy link
Contributor

nmav commented Jul 24, 2024
edited
Loading

What is missing or needs to be updated?

Use Strong Diffie-Hellman Parameters section: section needs to be updated with new guidance advising against generating own Diffie-Hellman parameters but instead use the protocol built-ins from RFC7919. TLS 1.3 doesn't allow using own parameters and negotiates using named supported_groups.

How should this be resolved?

Recommend against generating DH parameters as this is legacy practice with several drawbacks such as:

  • The client has no say in the security of the parameters, so they can only accept them unconditionally or drop the connection
  • The server cannot know the client's capability in handling groups, usually meaning that the server has to provide a small (and insecure) parameter that most clients can handle.

Configuring openssl for RFC7919 paremeters depends on the version. Refer to openssl DH config documentation.
@nmav nmav added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Jul 24, 2024
@markgamache
Copy link
Contributor

This seems like a solid plan.

nmav pushed a commit to nmav/CheatSheetSeries that referenced this issue Jul 25, 2024
Transport_Layer_Security_Cheat_Sheet.md: updated section on Diffie-He…
188f2b9 
…llman parameters

Resolves: OWASP#1453

Signed-off-by: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@assaabloy.com>
@nmav nmav mentioned this issue Jul 25, 2024
Merged
8 tasks
nmav pushed a commit to nmav/CheatSheetSeries that referenced this issue Jul 25, 2024
Transport_Layer_Security_Cheat_Sheet.md: updated section on Diffie-He…
781e569 
…llman parameters

Resolves: OWASP#1453

Signed-off-by: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@assaabloy.com>
nmav pushed a commit to nmav/CheatSheetSeries that referenced this issue Jul 26, 2024
Transport_Layer_Security_Cheat_Sheet.md: updated section on Diffie-He…
062e0fb 
…llman parameters

Resolves: OWASP#1453

Signed-off-by: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@assaabloy.com>
nmav pushed a commit to nmav/CheatSheetSeries that referenced this issue Jul 26, 2024
Transport_Layer_Security_Cheat_Sheet.md: updated section on Diffie-He…
ff25c87 
…llman parameters

Resolves: OWASP#1453

Signed-off-by: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@assaabloy.com>
nmav pushed a commit to nmav/CheatSheetSeries that referenced this issue Jul 29, 2024
Transport_Layer_Security_Cheat_Sheet.md: updated section on Diffie-He…
077c315 
…llman parameters

Resolves: OWASP#1453

Signed-off-by: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@assaabloy.com>
nmav pushed a commit to nmav/CheatSheetSeries that referenced this issue Jul 29, 2024
Transport_Layer_Security_Cheat_Sheet.md: updated section on Diffie-He…
3ca974e 
…llman parameters

Resolves: OWASP#1453

Signed-off-by: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@assaabloy.com>
@jmanico jmanico closed this as completed in cbe68a9 Aug 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nmav @markgamache