[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache2 wheezy backport



Hi,

> If you are only looking for ECC/ECDHE, you could try this patch
> http://people.apache.org/~sf/ECC-2.2-v2.diff on the wheezy package. I 
> think we may include it in a future wheezy point release, but I would 
> like it to be aproved for upstream 2.2.x, first.
I got pointed to this particular thread. The patchfile you mentioned
seems okay, save for two issues.

First, the patch still has hardcoded 1024-bit DH parameters. While
offering forward secrecy, using 1k DH makes for a weaker key exchange
than using 4096-bit RSA. Personally, I'd actually argue against using
ephemeral DH exchanges with 1024 bit DH params in favour of 4k RSA
exchanges. But I am rather paranoid about this.

More importantly, the patch still uses NID_X9_62_prime256v1 which in
turn uses Dual_EC_DRBG as its pseudo-RNG. This is problematic, as there
have long been suspicions about this PRNG being not so random which have
recently surfaced again:

  <https://tinyurl.com/omsx9v6>

More importantly, the NIST now actively discourages use of Dual_EC_DRBG
in 800-90A:

  <http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf>

For this reason I'd not only strongly argue in favour of using
NID_secp521r1 for the ECDH exchange - but I'd actually argue against
using ECDHE altogether with curve P256 because of the aforementioned
issue.

A problem with this is that both changes, but especially the increased
DH pool size, also result in increased server load which may not be
desirable. This could be solved by having a configuration directive to
specify a path to a DH params file.

Lastly, I'd like to note that I do not regularly follow this list. I
apologize in advance for any conventions on this mailing list I haven't
followed.

-- 
Patrick Godschalk
argure@argure.nl
GPG: <https://argure.nl/identity/ecc14594.asc>
This e-mail falls under the CC0 1.0 Universal Public Domain Dedication.




Reply to: