[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Nbd] STARTTLS and DH parameters and GnuTLS initialisation

Whilst reviewing the TLS code, I found this:

        check_rv(gnutls_dh_params_init(&dh_params));
        check_rv(gnutls_dh_params_generate2(dh_params,
                                gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
                                        GNUTLS_SEC_PARAM_MEDIUM
                                        )));

This is called at the start of every TLS session. This seems an
unreasonable overhead. My understanding is that in general you
need only set DH parameters once ever (on a per-site basis), and
certainly not per connection. Many servers use default DH parameters.

Below what EXIM has to say, for instance. It keeps DH parameters
in a file preserved between runs that you can delete!

Even if we feel the need to generate DH parameters, and don't want
to be bothered with loading/saving them from a file, generating
them on every STARTTLS is ridiculous. I'd also be concerned that
this will change the DH parameters for extant sessions were it
not for the forking model which protects us from that (now). Unless
I've completely misunderstood the purpose of these lines, they should
be in a general init function, not a 'once-per session' init. It
would also be nice to be able to skip them.

Now, that will need some thinking about due to the 'one process
per client' model, but I don't see any harm initialising GnuTLS
once (in the main process) and relying on UNIX CoW to do its
tricks and continue initialisation elsewhere.


From:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html

> GnuTLS uses D-H parameters that may take a substantial amount of time to compute. It is unreasonable to re-compute them for every TLS session. Therefore, Exim keeps this data in a file in its spool directory, called gnutls-params-NNNN for some value of NNNN, corresponding to the number of bits requested. The file is owned by the Exim user and is readable only by its owner. Every Exim process that start up GnuTLS reads the D-H parameters from this file. If the file does not exist, the first Exim process that needs it computes the data and writes it to a temporary file which is renamed once it is complete. It does not matter if several Exim processes do this simultaneously (apart from wasting a few resources). Once a file is in place, new Exim processes immediately start using it.
> 
> For maximum security, the parameters that are stored in this file should be recalculated periodically, the frequency depending on your paranoia level. If you are avoiding using the fixed D-H primes published in RFCs, then you are concerned about some advanced attacks and will wish to do this; if you do not regenerate then you might as well stick to the standard primes.


-- 
Alex Bligh
Reply to: