[Ach] Issue with OpenSSL >0.9.8l <1.0.0 (DHE key size)

Torsten Gigler torsten.gigler at owasp.org
Sun Apr 27 18:27:26 CEST 2014 

Hallo Aaron,

For DHE you need a second Key:
https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam

But there are implementations that have real trouble with to large 
DH-key-sizes >1024bits (and to small, not focused here)
http://blog.hboeck.de/archives/841-Diffie-Hellman-and-TLS-with-nonsense-parameters.html
The Author, Hanno, is here on the list :-)
JAVA had this issue:
http://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception

You can see the JAVA issue (for versions that support SNI, as the 
servers seem to use SNI):
https://www.ssllabs.com/ssltest/analyze.html?d=dh1024.tlsfun.de&hideResults=on 
(working)
https://www.ssllabs.com/ssltest/analyze.html?d=dh2048.tlsfun.de&hideResults=on 
(JAVA 6/7 (+8?) does not work)
0x16, EDH-RSA-DES-CBC3-SHA hides sometimes the failure of JAVA with 
DHE-RSA-AES128-SHA

I haven't seen a wireshark trace yet, but I haven't seen any error 
handling for this in RFC than a complete handshake failure and to hope 
that the client tries to send a second hello without the Cipher that 
caused the failure. [The clients sends all ciphers he can (generally) 
handle, the server hello includes only 1 Cipher that the server chose on 
base of this list, the server does not know that the client will have 
trouble with this, if the keysize is to large].

So I think it is a good idea to exclude the Ciphers that would be the 
1st Cipher for those legacy clients like JAVA: 0x00,0x33 - 
DHE-RSA-AES128-SHA and to use at least 2000 bits for the DH-Key (see 
BSI: 
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.pdf?__blob=publicationFile).
This would be no disadvantage, as I did not find any other Clients that 
a Server negotiates this cipher when it is set to the priority of the 
ciphers I suggested.

I hope this has clarified this point, OK?
Kind regards
Torsten

Am 26.04.2014 20:40, schrieb Aaron Zauner:
>
> Torsten Gigler wrote:
>> Am 26.04.2014 16:07, schrieb Aaron Zauner:
>>> Again. DHE-RSA-AES128 missing.
>> Yes, this woks as designed ;-)
>> I'd suggest to exclude '0x00,0x33 - DHE-RSA-AES128-SHA' to protect
>> aginst a possible incompatibility for JAVA6+7 & DH-Keys >1024bits
>> So you do NOT get in trouble using keys with 2048bits :-)
> I do not really understand what you mean? What's the difference here for
> the Diffie-Hellman keyexchange? Only the Blockcipher is of different
> strength. Could you elaborate on that a bit?
>
>
>
> Aaron
>

More information about the Ach mailing list