How to enforce DH field size in the client?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to enforce DH field size in the client?

Jeffrey Walton-3
Hi Everyone,

Based on the docs for SSL_CTX_set_tmp_dh_callback(3), the callback is
supposed to be invoked for DH parameter selection. The docs also
avoid/fail to state its  a server only feature, so its not clear to me
if the client is able to use it.

Its appears SSL_CTX_set_tmp_dh_callback and/or SSL_set_tmp_dh_callback
are not invoked at the client when the temporary pubic key is
selected, so there does not appear to be a way to query the field size
and fail the connection.

ARe clients supposed to be informed of DH parameter selection via
SSL_CTX_set_tmp_dh_callback and/or SSL_set_tmp_dh_callback? Or is
there another method available?

At the client, how do we enforce minimum Diffie-Hellman field sizes?

Jeff
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enforce DH field size in the client?

Viktor Dukhovni
On Mon, Oct 05, 2015 at 11:55:36AM -0400, Jeffrey Walton wrote:

> Based on the docs for SSL_CTX_set_tmp_dh_callback(3), the callback is
> supposed to be invoked for DH parameter selection. The docs also
> avoid/fail to state its  a server only feature, so its not clear to me
> if the client is able to use it.

This is a server-only interface.

> Its appears SSL_CTX_set_tmp_dh_callback and/or SSL_set_tmp_dh_callback
> are not invoked at the client when the temporary pubic key is
> selected, so there does not appear to be a way to query the field size
> and fail the connection.

Not via this interface.

> Are clients supposed to be informed of DH parameter selection via
> SSL_CTX_set_tmp_dh_callback and/or SSL_set_tmp_dh_callback?

No.

> At the client, how do we enforce minimum Diffie-Hellman field sizes?

This should be possible via configuration, not just explicit API
calls from applications that go to the extra trouble.

Some work in that direction is in the master branch (future 1.1.0).

There are ways to determine the server handshake group size, but
this is not a good long-term interface for applications.  See
the new (1.0.2) SSL_get_server_tmp_key() function in commit:

    2001129f096d10bbd815936d23af3e97daf7882d

and how it is used in that commit.

--
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to enforce DH field size in the client?

ramahmoo
This post was updated on .
>>This should be possible via configuration, not just explicit API
>>calls from applications that go to the extra trouble.
How is it possible via configuration?

I have seen in s3_clnt.c, openssl check for server dh prime size against a hardcoded value
 if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
            || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
            SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
 }


Is it possible to initialize the compared constant key size via some public method?