-
Notifications
You must be signed in to change notification settings - Fork 7.3k
Remove (or discourage) small DH groups in crypto.getDiffieHellman #25366
Comments
Update on the issue. Therefore I propose to: (a) deprecate everything below 2048 bits (i.e., modp1, modp2, modp5) and remove it in a future according to deprecation policy of nodejs (which I don't know); since abb0702 these groups can be constructed manually; (b) mention this plainly in the docs I'm preparing a patch as we speak. |
I might even go further and discourage use of getDiffieHellman in favor of createDiffieHellman |
Setting P1 as we should consider for the next release @jasnell and @misterdjules I know you had already started to think about what we should do for logjam. |
@dnakamura I don't have opinion on that. Both approaches will work and there are not that many users of getDiffieHellman anyway. However, getDiffieHellman gives people an easy-to-use blackbox to do DH. |
@thinred I'm not suggesting completely deprecating the function, but maybe just adding a line to the docs, something along the lines of |
Yes, assuming the patch is for crypto.getDiffieHellman (and not to everything mentioned there). It would be good if somebody would make a common interface to this command line/env. variable interface. I don't claim to know very well the source code of node... |
Yes I just had in mind the parts related to crypto.getDiffieHellman and the command line/env process can be separate you'll just need to use the result to control whether modp1 is enabled or not |
Seems easy, with pleasure. :) |
@joyent/node-collaborators Moved to 0.12.6 milestone according to #25509 (comment), but please feel free to suggest otherwise if you do not agree with that comment. |
No problem with moving it. I shall work on the patch tonight, anyway, so may be it will manage to hit 0.12.5 in the end :). |
I rebased my preliminary fix in #25372. |
We should run tests both with/without the env variable/command line set. 67d9a56 and related patches are an example of doing that. It basically launches a new Node process setting the command line or environment variable to run the required variants |
A new set of patches in #25372. This only needs the ENABLE_SMALL_DH_GROUPS patch (and rebase/merge of my topmost patch). |
Hi,
the set of predefined RFC DH groups offered by getDiffieHellman should be reconsidered. Due to the new Logjam revelations (https://weakdh.org/sysadmin.html, search for OpenSSH), groups of preset prime and of size smaller than 2048 bits should be considered easily breakable (well, it's not Logjam that showed it, but only put the problem into the public's attention).
According to https://tools.ietf.org/html/rfc4253#section-8.1 Oakley 2 Group is a MUST in SSH protocol implementations (there is at least one that exists: https://github.com/mscdex/ssh2-streams), so we cannot simply drop it. However we could do either:
1) drop modp1 group (which has 768 bits) and, possibly, modp5 as well (1536 bits)
2) deprecate all groups < 2048 bits in the docs
I can prepare a patch for any of these options, but please comment.
Tomasz
The text was updated successfully, but these errors were encountered: