From 9b35be58100237365c24ab394d3dc6462f9675e6 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Wed, 20 May 2015 14:20:26 +0900 Subject: [PATCH] tls: make server not use DHE in less than 1024bits DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: https://github.com/nodejs/io.js/pull/1739 Reviewed-By: Ben Noordhuis Reviewed-By: Fedor Indutny --- doc/api/tls.markdown | 6 ++++-- src/node_crypto.cc | 6 ++++++ test/parallel/test-tls-dhe.js | 10 ++++++---- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 657f690343ff03..a00b27dab91c94 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -183,8 +183,10 @@ automatically set as a listener for the [secureConnection][] event. The - `dhparam`: A string or `Buffer` containing Diffie Hellman parameters, required for Perfect Forward Secrecy. Use `openssl dhparam` to create it. - If omitted or invalid, it is silently discarded and DHE ciphers won't be - available. + Its key length should be greater than or equal to 1024 bits, otherwise + it throws an error. It is strongly recommended to use 2048 bits or + more for stronger security. If omitted or invalid, it is silently + discarded and DHE ciphers won't be available. - `handshakeTimeout`: Abort the connection if the SSL/TLS handshake does not finish in this many milliseconds. The default is 120 seconds. diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 03dc7d61807d58..e2c478a510be84 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -757,6 +757,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { if (dh == nullptr) return; + const int keylen = BN_num_bits(dh->p); + if (keylen < 1024) + return env->ThrowError("DH parameter is less than 1024 bits"); + else if (keylen < 2048) + fprintf(stderr, "WARNING: DH parameter is less than 2048 bits\n"); + SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_DH_USE); int r = SSL_CTX_set_tmp_dh(sc->ctx_, dh); DH_free(dh); diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js index 5c9eb87b2e2935..92fff3f221b65f 100644 --- a/test/parallel/test-tls-dhe.js +++ b/test/parallel/test-tls-dhe.js @@ -62,8 +62,9 @@ function test(keylen, expectedCipher, cb) { } function test512() { - test(512, 'DHE-RSA-AES128-SHA256', test1024); - ntests++; + assert.throws(function() { + test(512, 'DHE-RSA-AES128-SHA256', null); + }, /DH parameter is less than 1024 bits/); } function test1024() { @@ -77,12 +78,13 @@ function test2048() { } function testError() { - test('error', 'ECDHE-RSA-AES128-SHA256', null); + test('error', 'ECDHE-RSA-AES128-SHA256', test512); ntests++; } -test512(); +test1024(); process.on('exit', function() { assert.equal(ntests, nsuccess); + assert.equal(ntests, 3); });