← Back to team overview

linuxdcpp-team team mailing list archive

  1. linuxdcpp-team team
  2. Mailing list archive
  3. Message #08941

[Bug 1850053] [NEW] dh key too small

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

When creating a new certificate, we use the script `linux/generate_certs.sh`
It uses this command:
 $ openssl dhparam -outform PEM -out dhparam.pem 1024
which mean "use a Diffie-Hellman key of 1024 bits"

Sadly, Logjam Attack occurs on DH key <=1024 bits.
In the way to "fix" that, debian software can't connect anymore on ADCS hub that have a DH key <=1024 bits.

See https://weakdh.org/ for more security info, but tldr:
 > If you run a server… [...] you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group.

You can so fix the issue by modifying 
 $ openssl dhparam -outform PEM -out dhparam.pem 1024
to
 $ openssl dhparam -outform PEM -out dhparam.pem 2048

Cheers

** Affects: adchpp
     Importance: Undecided
         Status: New


** Tags: dh openssl

** Patch added: "generate_certs.patch"
   https://bugs.launchpad.net/bugs/1850053/+attachment/5300620/+files/generate_certs.patch

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to ADCH++.
https://bugs.launchpad.net/bugs/1850053

Title:
  dh key too small

Status in ADCH++:
  New

Bug description:
  When creating a new certificate, we use the script `linux/generate_certs.sh`
  It uses this command:
   $ openssl dhparam -outform PEM -out dhparam.pem 1024
  which mean "use a Diffie-Hellman key of 1024 bits"

  Sadly, Logjam Attack occurs on DH key <=1024 bits.
  In the way to "fix" that, debian software can't connect anymore on ADCS hub that have a DH key <=1024 bits.

  See https://weakdh.org/ for more security info, but tldr:
   > If you run a server… [...] you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group.

  You can so fix the issue by modifying 
   $ openssl dhparam -outform PEM -out dhparam.pem 1024
  to
   $ openssl dhparam -outform PEM -out dhparam.pem 2048

  Cheers

To manage notifications about this bug go to:
https://bugs.launchpad.net/adchpp/+bug/1850053/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next