[Ach] OpenSSL Cipher Strings: kDHE/kECDHE
Peter Ulber
pu at uni-konstanz.de
Sun Mar 15 00:23:04 CET 2015
Hi,
Am Samstag, 14. März 2015 20:06 CET, Kurt Roeckx <kurt at roeckx.be> schrieb:
> So DHE selects all those with key exchange DHE (the kDHE part)
> where authentication is anything but NULL. So yes, it's the same.
Maybe one should add some more hints regarding prefixing "a" (authentication), "k" (keyexchange) and "e" (encryption) and the important synonym notations. And where and how to configure OCSPstapling.
I tried digging deeper when it comes to DHE parameters in OpenSSL and where they come from. I hope I don't repeat already well known stuff; in that case please skip that part. Starting with that post
https://security.stackexchange.com/questions/56214/what-are-the-openssl-standard-diffie-hellmann-parameters-primes
which leads to a Gandhi quote "Whatever you do will be insignificant, but it is very important that
you do it." represented in ASCII from which they used the last 79 bytes as a seed for prime generation:
http://tools.ietf.org/html/draft-ietf-ipsec-skip-06#section-5.3
Starting with Apache 2.4.7 one can define custom parameters (modulus for DHE and curve for ECDHE). Because OpenSSL generates "safe primes" that may take a while ;-) To use these custom parameters one has to put them at the end of the certificate file (or with OpenSSL 1.0.2 one can use the SSL_CONF API):
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefilehttps://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd
I am not quite sure when they started using larger DH parameters than 1024 Bit. According to the Apache changelog there was a change with 2.4.10, but maybe it already started with Apache 2.4.7
https://www.apache.org/dist/httpd/CHANGES_2.4
As far as I understand, starting with Apache 2.6 they will use standardized parameters
https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup&pathrev=1598107#l50
from
http://tools.ietf.org/html/rfc2409
http://tools.ietf.org/html/rfc3526
According to the first post I mentioned "interestingly (or not), the 512-bit modulus used by apps/s_server.c is NOT the same as the one in dh512.pem." I wonder why. Do you know what are the (minimal) conditions for creating "good" custom parameters?
> If there is anything we can change in the manual, please let us
> know.
Maybe I can contribute the configuration for mod_tls (mod-gnutls) tested with Apache 2.2 (Debian Wheezy) and Apache 2.4 (Debian Jessie). To separate the configuration from the one for mod_ssl I created a folder "/etc/tls". So here we go within the vhost configuration (if mod_tls is enabled):
1. Debian Wheezy (GnuTLS 3.3.8 from backports, Apache 2.2.22, modGnuTLS 0.5.10)
-------- snip --------
# Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=31556926"
# enable GnuTLS
GnuTLSEnable On
# private key, certificate including intermediate certificates
GnuTLSKeyFile /etc/tls/priv/my-private-key.pem
GnuTLSCertificateFile /etc/tls/cert/my-certificate.pem
# diffie hellman keyexchange parameters
GnuTLSDHFile /etc/tls/dhpm/my-diffie-hellman-parameters.pem
# GnuTLS explicit priority string
GnuTLSPriorities NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+DHE-RSA:+RSA: \
+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-CBC:+CAMELLIA-128-CBC: \
+SHA512:+SHA384:+SHA256:+SHA1:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384: \
+SIGN-RSA-SHA256:+COMP-NULL:%SAFE_RENEGOTIATION
-------- snap --------
2. Debian Jessie (GnuTLS 3.3.8, Apache 2.4.10, modGnuTLS 0.5.10 or 0.6)
-------- snip --------
# Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=31556926"
# enable GnuTLS
GnuTLSEnable On
# private key, certificate including intermediate certificates
GnuTLSKeyFile /etc/tls/priv/my-private-key.pem
GnuTLSCertificateFile /etc/tls/cert/my-certificate.pem
# diffie hellman keyexchange parameters
GnuTLSDHFile /etc/tls/dhpm/my-diffie-hellman-parameters.pem
# GnuTLS explicit priority string
GnuTLSPriorities NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA \
+AES-256-GCM:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM: \
+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+CURVE-SECP521R1: \
+CURVE-SECP384R1:+CURVE-SECP256R1:+AEAD:+SHA512:+SHA384:+SHA256:+SHA1: \
+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+COMP-NULL: \
%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
-------- snap --------
Hope this do some good :)
Btw tere is a nice web tool (which works for Apache as well as for lighttpd) for GnuTLS is:
http://blog.lighttpd.net/gnutls-priority-strings.html
> Kurt
Regards,
Peter
More information about the Ach
mailing list