[Ach] OpenSSL Cipher Strings: kDHE/kECDHE

Peter Ulber pu at uni-konstanz.de
Sun Mar 15 00:23:04 CET 2015 

Hi,

Am Samstag, 14. März 2015 20:06 CET, Kurt Roeckx <kurt at roeckx.be> schrieb:

> So DHE selects all those with key exchange DHE (the kDHE part)
> where authentication is anything but NULL.  So yes, it's the same.

Maybe one should add some more hints regarding prefixing "a" (authentication), "k" (keyexchange) and "e" (encryption) and the important synonym notations. And where and how to configure OCSPstapling.

I tried digging deeper when it comes to DHE parameters in OpenSSL and where they come from. I hope I don't repeat already well known stuff; in that case please skip that part. Starting with that post

https://security.stackexchange.com/questions/56214/what-are-the-openssl-standard-diffie-hellmann-parameters-primes

which leads to a Gandhi quote "Whatever you do will be insignificant, but it is very important that
you do it." represented in ASCII from which they used the last 79 bytes as a seed for prime generation:

http://tools.ietf.org/html/draft-ietf-ipsec-skip-06#section-5.3

Starting with Apache 2.4.7 one can define custom parameters (modulus for DHE and curve for ECDHE). Because OpenSSL generates "safe primes" that may take a while ;-) To use these custom parameters one has to put them at the end of the certificate file (or with OpenSSL 1.0.2 one can use the SSL_CONF API):

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefilehttps://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd

I am not quite sure when they started using larger DH parameters than 1024 Bit. According to the Apache changelog there was a change with 2.4.10, but maybe it already started with Apache 2.4.7

https://www.apache.org/dist/httpd/CHANGES_2.4

As far as I understand, starting with Apache 2.6 they will use standardized parameters

https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup&pathrev=1598107#l50

from

http://tools.ietf.org/html/rfc2409
http://tools.ietf.org/html/rfc3526

According to the first post I mentioned "interestingly (or not), the 512-bit modulus used by apps/s_server.c is NOT the same as the one in dh512.pem." I wonder why. Do you know what are the (minimal) conditions for creating "good" custom parameters?

> If there is anything we can change in the manual, please let us
> know.

Maybe I can contribute the configuration for mod_tls (mod-gnutls) tested with Apache 2.2 (Debian Wheezy) and Apache 2.4 (Debian Jessie). To separate the configuration from the one for mod_ssl I created a folder "/etc/tls". So here we go within the vhost configuration (if mod_tls is enabled):

1. Debian Wheezy (GnuTLS 3.3.8 from backports, Apache 2.2.22, modGnuTLS 0.5.10)

-------- snip --------
# Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=31556926"
# enable GnuTLS
GnuTLSEnable On
# private key, certificate including intermediate certificates
GnuTLSKeyFile /etc/tls/priv/my-private-key.pem
GnuTLSCertificateFile /etc/tls/cert/my-certificate.pem
# diffie hellman keyexchange parameters
GnuTLSDHFile /etc/tls/dhpm/my-diffie-hellman-parameters.pem
# GnuTLS explicit priority string
GnuTLSPriorities NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+DHE-RSA:+RSA: \
+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-CBC:+CAMELLIA-128-CBC: \
+SHA512:+SHA384:+SHA256:+SHA1:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384: \
+SIGN-RSA-SHA256:+COMP-NULL:%SAFE_RENEGOTIATION
-------- snap --------

2. Debian Jessie (GnuTLS 3.3.8, Apache 2.4.10, modGnuTLS 0.5.10 or 0.6)
-------- snip --------
# Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=31556926"
# enable GnuTLS
GnuTLSEnable On
# private key, certificate including intermediate certificates
GnuTLSKeyFile /etc/tls/priv/my-private-key.pem
GnuTLSCertificateFile /etc/tls/cert/my-certificate.pem
# diffie hellman keyexchange parameters
GnuTLSDHFile /etc/tls/dhpm/my-diffie-hellman-parameters.pem
# GnuTLS explicit priority string
GnuTLSPriorities NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA \
+AES-256-GCM:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM: \
+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+CURVE-SECP521R1: \
+CURVE-SECP384R1:+CURVE-SECP256R1:+AEAD:+SHA512:+SHA384:+SHA256:+SHA1: \
+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+COMP-NULL: \
%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
-------- snap --------

Hope this do some good :)

Btw tere is a nice web tool (which works for Apache as well as for lighttpd) for GnuTLS is:

http://blog.lighttpd.net/gnutls-priority-strings.html

> Kurt

Regards,
Peter

More information about the Ach mailing list