-
Notifications
You must be signed in to change notification settings - Fork 7.3k
Conversation
This looks good to me but would like @shigeki to take a look as well. If shigeki thinks it looks ok I can create a PR that pulls over nodejs/node#1739 and updates to include a check against SMALL_DH_GROUPS_ENABLE. shigeki I'd also like your opinion on whether we should add a similar check in crypto.createDiffieHellman(prime_length) as well. ie reject a prime_length smaller than 768 and use the same command line/env variable to allow fallback. |
not be used in new code. Moreover, the use of the `'modp1'` group must | ||
be explicitly enabled: either via `'--enable-small-dh-groups'` switch to | ||
node, or by setting the `'ENABLE_SMALL_DH_GROUPS'` environment variable | ||
to any value. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this is somehow confusing that only modp1
leads throwing an error and modp2
and modp5
can be used without no message of deprecation whereas the size of 2048 bits is considered deprecated.
Is it better to say that the group size of less than 1024 bits was deprecated and that of less than 2048 bits is not recommended?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, let's do it that way.
Commit title need to be changed to follow https://github.com/joyent/node/blob/master/CONTRIBUTING.md#commit. |
I put some comments. |
This fixes issue 25366. In particular: - DH groups of size < 1024 are disabled by default (there is only one such group: modp1) and their use will throw an exception - a new cmdline switch --enable-small-dh-groups and the SMALL_DH_GROUPS_ENABLE env. variable are introduced; they override the default setting and therefore enable modp1 group - the documentation & tests are updated The change has been triggered by the security report "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" which proved that small, predefined DH primes groups should not be used.
I improved the PR. |
@shigeki does your last comment apply only to createDiffieHellman or are you wondering if we should be deprecating for getDiffieHellman() ? |
My comment above is more general for security hardening on crypto module not tls. Edit: correction that only modp1 is to be deprecated. |
To be clear, only modp1 is deprecated and disabled. modp2 & modp5 work just fine, but are not recommended. |
Yes, only modp1 is to be deprecated. I updated and corrected the above comment. But to be sure, I'm not against deprecation. If we do this, I'm wondering we are going to the way to have |
How about if we rename -enable-small-dh-key to -enable-small-keys. This could then be used for this case and others in the future as well as potentially the other cases you mentioned. As was the case for the option proposed in case of the RC4 removal, we could make it take a parameter which is the version of node so that we can fall back to the same limits as any previous version. So for example: -enable-small-keys=0.10.39 would fall back to the limits that were in place for 0.10.39 This would mean we could add further limits without affecting the API and also allow easy fallback to a set that was being used by an earlier version |
@mhdawson Let me confirm that the option is for tls, crypto or both module? This PR is for crypto functionality and nodejs/node#1739 is for tls. As I wrote, they have different security requirements. |
@shigeki, I believe we want an option to fall back to previous behaviour for #1739 since it is a breaking change. I was thinking the option would be for both as I think we want to limit the number of different command line options if at all possible. If the issue is that we don't believe that we only need to limit the key sizes for tls in order to address logjam then maybe we should just limit for tls and cover the other cases through documentation. |
@shigeki would lit make sense to try and find a time that we could talk over hangouts to come to agreement on what we think we should do ? |
@mhdawson Sorry, for my late reply. I agree that #25514 needs an option and that's no problem. I am going to update my PR to have the option. |
@shigeki. Sounds reasonable to me to do what you suggest in your last comment which I understand to be:
|
Any update on this? |
@thinred Very sorry, I have little time to work on this before July 23 and will be back to do it after that. |
Thank you for your patience. shigeki/node@a1e289d is my proposal to update the doc and please take a look at it. If it is acceptable I will submit a new PR. |
I added two more patches on top of that: https://github.com/thinred/node/tree/c_c The important change is that it should say "at least" instead of "more than". |
@thinred Thanks for revising my English. Your change and additions are fine with me but I also would like to add one more commit of shigeki/node@fbd32d6 to remove @mhdawson We'd better to move to the iojs issue not to miss this after convergence. How do you think about it? |
@shigeki You forgot about this one: thinred@8d8d084 :) |
We'll want this in 0.10.X and 0.12.X, and everything from 0.12.X should be merged into nodejs/node as part of the convergance work right ? Is what you are suggesting that once its in 0.10.X and 0.12.X that we should open another issue to get it into io.js master ? |
@shigeki I assume you are planning a separate PR for pulling in nodejs/node#1739 with a command line option to revert |
@mhdawson I'm planning to separating against #25514 where a flag should be included. This PR becomes a doc fix and it should be applied to both iojs and nodejs. After final review in iojs and getting merged, then we can backport it to joyent/node v0.10/v0.12. I fear the description gets inconsistent. |
@shigeki ... what is the status on this one? |
FYI The current solution is in the branch https://github.com/thinred/node/commits/c_c. |
@shigeki In my opinion much better solution than Sample entries from java.security file: |
@MichalStaruch Thanks for your comment. Node do not have such a kind of external property files. IMHO, it is not a good idea to have a new parser for it. Anyway, this fix was already made in another PR of nodejs/node#3890. So I'm going to close this. |
@shigeki It was just an example of a more generic solution, where cryptography constraints are defined by user, not hard-coded - I never said it has to be defined in file :). Similar mechanism (defaults we can override) is already present in node.js, see |
In particular:
(there is only one such group: modp1)
SMALL_DH_GROUPS_ENABLE env. variable are introduced;
they override the default setting and therefore enable
modp1 group