[openssl-dev] What key length is used for DHE by default ?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-dev] What key length is used for DHE by default ?

Nayna Jain

Hi,

With the latest logjam attack, as I was trying to verify if my server (lighttpd) accepts DHE_xxx  ciphers,  I saw that it accepted and I didn't do any configuration setting done for DH parameters explicitly.


But I couldn't verify what is the key length did it use by default 512/1024/2048 ?

Eg. the one it negotiated was DHE-RSA-AES128-SHA256  and for TLSv1.2 protocol ?

Will the key length be different for different protocols like SSLv3/TLSv1.0/TLSv1.1/TLSv1.2?  If yes , then what for each of them.


Thanks & Regards,
Nayna Jain

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] What key length is used for DHE by default ?

Hubert Kario
On Friday 22 May 2015 15:41:09 Nayna Jain wrote:
> Hi,
>
> With the latest logjam attack, as I was trying to verify if my server
> (lighttpd) accepts DHE_xxx  ciphers,  I saw that it accepted and I didn't
> do any configuration setting done for DH parameters explicitly.

There's no default in OpenSSL, applications need to set the DH parameters
themselves.
 
> But I couldn't verify what is the key length did it use by default
> 512/1024/2048 ?

openssl s_client -connect hostname:443 -cipher EDH </dev/null 2>/dev/null |
grep 'Server Temp Key'

> Will the key length be different for different protocols like
> SSLv3/TLSv1.0/TLSv1.1/TLSv1.2?  If yes , then what for each of them.

no, it will be the same for all protocols

--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] What key length is used for DHE by default ?

Nayna Jain

Hi Hubert,

Thanks..

I tried the command you mentioned i.e.
openssl s_client -connect hostname:443 -cipher EDH </dev/null 2>/dev/null |
grep 'Server Temp Key'


But it didn't output anything.

Thanks & Regards,
Nayna Jain


Inactive hide details for Hubert Kario ---05/22/2015 04:28:04 PM---On Friday 22 May 2015 15:41:09 Nayna Jain wrote: > Hi,Hubert Kario ---05/22/2015 04:28:04 PM---On Friday 22 May 2015 15:41:09 Nayna Jain wrote: > Hi,

From: Hubert Kario <[hidden email]>
To: [hidden email]
Cc: Nayna Jain/India/IBM@IBMIN, OpenSSL Users List <[hidden email]>
Date: 05/22/2015 04:28 PM
Subject: Re: [openssl-dev] What key length is used for DHE by default ?





On Friday 22 May 2015 15:41:09 Nayna Jain wrote:
> Hi,
>
> With the latest logjam attack, as I was trying to verify if my server
> (lighttpd) accepts DHE_xxx  ciphers,  I saw that it accepted and I didn't
> do any configuration setting done for DH parameters explicitly.

There's no default in OpenSSL, applications need to set the DH parameters
themselves.

> But I couldn't verify what is the key length did it use by default
> 512/1024/2048 ?

openssl s_client -connect hostname:443 -cipher EDH </dev/null 2>/dev/null |
grep 'Server Temp Key'

> Will the key length be different for different protocols like
> SSLv3/TLSv1.0/TLSv1.1/TLSv1.2?  If yes , then what for each of them.

no, it will be the same for all protocols

--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic[attachment "signature.asc" deleted by Nayna Jain/India/IBM]


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] What key length is used for DHE by default ?

Salz, Rich

Did you follow the full instructions – using a 1.0.2 openssl client?

 

The blog posting is pretty clear. https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] What key length is used for DHE by default ?

Nayna Jain

Ok, I think this is what I didn't know. I was using openssl 1.0.1g client.

I still didn't have openssl 1.0.2 .

Thanks..

Thanks & Regards,
Nayna Jain


Inactive hide details for "Salz, Rich" ---05/22/2015 09:31:34 PM---Did you follow the full instructions - using a 1.0.2 openssl"Salz, Rich" ---05/22/2015 09:31:34 PM---Did you follow the full instructions - using a 1.0.2 openssl client? The blog posting is pretty clea

From: "Salz, Rich" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Date: 05/22/2015 09:31 PM
Subject: Re: [openssl-dev] What key length is used for DHE by default ?
Sent by: "openssl-dev" <[hidden email]>





Did you follow the full instructions – using a 1.0.2 openssl client?
 
The blog posting is pretty clear. https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/_______________________________________________
openssl-dev mailing list
To unsubscribe:
https://mta.openssl.org/mailman/listinfo/openssl-dev


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] What key length is used for DHE by default ?

Rainer Jung-3
Am 22.05.2015 um 18:32 schrieb Nayna Jain:
> Ok, I think this is what I didn't know. I was using openssl 1.0.1g client.
>
> I still didn't have openssl 1.0.2 .

If it were trivial I think showing the temp key size would be a welcome
backport to 1.0.1 before the next release. It is very useful in light of
logjam but many people are not yet at 1.0.2. Of course they wont get the
latest 1.0.1 immediately, but distros have a chance to backport.

Regards,

Rainer

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] What key length is used for DHE by default ?

mancha
On Fri, May 22, 2015 at 06:43:28PM +0200, Rainer Jung wrote:

> Am 22.05.2015 um 18:32 schrieb Nayna Jain:
> >Ok, I think this is what I didn't know. I was using openssl 1.0.1g
> >client. I still didn't have openssl 1.0.2 .
>
> If it were trivial I think showing the temp key size would be a
> welcome backport to 1.0.1 before the next release. It is very useful
> in light of logjam but many people are not yet at 1.0.2. Of course
> they wont get the latest 1.0.1 immediately, but distros have a chance
> to backport.
>
> Regards,
>
> Rainer
Hi Rainer (and devs).

I had already done this for personal consumption. When I saw your email
I decided to make a pull request (devs, for your consideration):

  https://github.com/openssl/openssl/pull/291

If you'd like to patch OpenSSL 1.0.1m immediately, grab my patch
(https://github.com/mancha1/openssl/commit/a59f22520bb5.patch), remove
the first hunk (to CHANGES), and apply it.

--mancha

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

attachment0 (836 bytes) Download Attachment