-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: make server not use DHE in less than 1024bits for fix agaist Logjam Attack #1739
Conversation
As this is a security patch (?), does this cheat the semver major cycle? |
Yes, this is a security patch but it is a similar kind of the fix for limiting cipher suites we did before. We did not change semver in changing the default cipher suite so I think this follows it. |
Update the doc description to recommend to use 2048bits or more. |
A quick question: when 1024 bits will be not safe, will you make a similar patch to make it throw an error then? Maybe it would be reasonable to print a warning to stderr in advance (maybe even now) for 1024 bits so less people will get surprised when that will be turned into an error? |
Its key length should be greater than or equal to 1024bits, otherwise | ||
it throws an error. It is recommended to use 2048bits or more for | ||
enough strong security. If omitted or invalid, it is silently | ||
discarded and DHE ciphers won't be available. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/1024bits/1024 bits/
, ditto for 2048bits.- I would
s/recommended/strongly recommended/
and maybe add a warning that someday we're going to enforce it. s/enough strong security/stronger security/
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later.
@ChALkeR Printing WARNING is a good idea to me. Updated it in this PR. @bnoordhuis Updated according your comments. My editor was wired when I wrote assert.throws. I also found a bug of my tests that the 512 bits test does not invoke the next test. PTAL. |
@@ -757,6 +757,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) { | |||
if (dh == nullptr) | |||
return; | |||
|
|||
int keylen = BN_num_bits(dh->p); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: make keylen
const.
LGTM A suggestion for a follow-up PR: print the warning from JS land with |
LGTM |
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: #1739 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor@indutny.com>
@bnoordhuis @indutny Thanks for reviewing. Landed in 9b35be5 with Ben's suggestion to add const for kenlen. For console.trace, I will work it with a client fix later. |
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: nodejs#1739 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss) nodejs#1779. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) nodejs#1699 nodejs#1768 nodejs#1779. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) nodejs#1699 nodejs#1768 nodejs#1779. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
PR-URL: nodejs#1532 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) nodejs#1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) nodejs#1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) nodejs#1699 nodejs#1768 nodejs#1779. * npm: Upgraded to v2.10.1, release notes can be found in https://github.com/npm/npm/releases/tag/v2.10.1 and https://github.com/npm/npm/releases/tag/v2.10.0. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) nodejs#1749.
PR-URL: #1777 Notable Changes: * crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be 1024 bits or longer or an error will be thrown. A warning will also be printed to the console if you supply less than 2048 bits. See https://weakdh.org/ for further context on this security concern. (Shigeki Ohtsu) #1739. * node: A new --trace-sync-io command line flag will print a warning and a stack trace whenever a synchronous API is used. This can be used to track down synchronous calls that may be slowing down an application. (Trevor Norris) #1707. * node: To allow for chaining of methods, the setTimeout(), setKeepAlive(), setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http', 'https' and 'tls' now return the current instance instead of undefined (Roman Reiss & Evan Lucas) #1699 #1768 #1779. * npm: Upgraded to v2.10.1, release notes can be found in https://github.com/npm/npm/releases/tag/v2.10.1 and https://github.com/npm/npm/releases/tag/v2.10.0. * util: A significant speed-up (in the order of 35%) for the common-case of a single string argument to util.format(), used by console.log() (Сковорода Никита Андреевич) #1749.
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: nodejs/node#1739 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor@indutny.com>
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: nodejs#1739 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor@indutny.com>
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in nodejs#1739.
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later.
What do about for clients? We can obtain DHE keylength via
SSL_get_server_tmp_key()
but I think we'd better to have an new options to limit the DHE key size with 1024bits default. Thoughts?CI results are https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/697/. It looks fine except jenkins, child_process and sync-io-option error.
R= @bnoordhuis @indutny