Add a new option to limit DH key size in tls connect #1831
Conversation
shigeki
added
crypto
shigeki
changed the title
|
Are you sure that we are actually vulnerable to the logjam attack? I always thought that we are not doing False Start, so it should not be possible to perform MiTM attack in this case. |
|
False Start is the worst case to decrypt DATA in offline.
According the paper, 512 bit DH key can be solved about 90 secs for the server with built-in prime such as apache. The current TLS timeout of iojs is 120 secs which is longer than that. |
|
@shigeki but this is not logjam anymore, right? I just don't want to say that we was vulnerable to it in the first place, especially if we wasn't. |
shigeki
changed the title
|
If the wording of logjam only covers export DH cipher, that is right. I did not care about that. I've just changed this PR title to remove the word of logjam. There is no word of logjam in the commit message. |
| @@ -347,6 +347,11 @@ Creates a new client connection to the given `port` and `host` (old API) or | |||
|
|
|||
| - `session`: A `Buffer` instance, containing TLS session. | |||
|
|
|||
| - `minDHkeylen`: Minimum key length of an ephemeral DH parameter to | |||
There was a problem hiding this comment.
A camel case (minDHKeyLen)? Or even minDHSize
There was a problem hiding this comment.
I take minDHSize as it is shorter and more legible.
|
A couple of nits, otherwise looking great! Good job, @shigeki ! |
shigeki
force-pushed
the
fix_LogjamAttack_client
branch
from
484262e
to
dd8a2a2
Compare
|
@bnoordhuis @indutny Thanks for reviewing. According to your comments, I updated them. PTAL. |
| connection. It returns an empty object when the key exchange is not | ||
| ephemeral. As it is only supported on a client socket, it returns null | ||
| if this is called on a server socket. The type of 'DH' and 'ECDH' are | ||
| supported. The name property is only available in 'ECDH'. |
There was a problem hiding this comment.
Femto-nit: maybe reword this to:
The supported types are 'DH' and 'ECDH'. The `name` property is only available with 'ECDH'.
|
LGTM apart from a couple of nits. Can you rebase and run the CI before landing this? Thanks. |
shigeki
force-pushed
the
fix_LogjamAttack_client
branch
3 times, most recently
from
8b16dfd
to
e4f02bd
Compare
|
@shigeki @bnoordhuis @indutny ... ping |
|
Sorry for my late response. This is a security enhancement of DH as the same way of Chrome/Firefox. It is not so much threat at the usual use but https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/ says that
so that I think it is worth to have this in order to protect against the nation level attack. |
|
This should be semver-major. It will definitely break code that was connecting to 1024-bit DH servers. Otherwise LGTM |
shigeki
added
semver-major
|
@indutny Thanks. I agree it. I've changed label. I rebase this, make tests again and land it after 5.0 start. |
|
Note: |
|
@Fishrock123 Thanks. The current master is already 5.0.0-pre so can I land this now? |
|
CI show the following 7 test failures but they are not related to this PR. Otherwise are green.
|
|
@shigeki v5.0 is set to cut probably next week, and semver-major's have been landing on (This also assumes this has had enough TSC review, which I think it has.) |
Returns an object representing a type, name and size of an ephemeral key exchange in a client connection. Currently only DHE and ECHE are supported. This api only works on on a client connection. When it is called on a server connection, null is returned. When its key exchange is not ephemeral, an empty object is returned. PR-URL: #1831 Reviewed-By: indutny - Fedor Indutny <[email protected]> Reviewed-By: bnoordhuis - Ben Noordhuis <[email protected]>
Add a new option to specifiy a minimum size of an ephemeral DH parameter to accept a tls connection. Default is 1024 bit. PR-URL: #1831 Reviewed-By: indutny - Fedor Indutny <[email protected]> Reviewed-By: bnoordhuis - Ben Noordhuis <[email protected]>
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in #1739. PR-URL: #1831 Reviewed-By: indutny - Fedor Indutny <[email protected]> Reviewed-By: bnoordhuis - Ben Noordhuis <[email protected]>
|
@Fishrock123 Thanks. |
Notable changes: * buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer, these have been deprecated for a long time (Sakthipriyan Vairamani) nodejs#2859. * console: (Breaking) Values reported by console.time() now have 3 decimals of accuracy added (Michaël Zasso) nodejs#3166. * fs: - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file descriptor as their first argument (Johannes Wüller) nodejs#3163. - (Breaking) In fs.readFile(), if an encoding is specified and the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) nodejs#3485. - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding, callback) form), if the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) nodejs#3503. * http: - Fixed a bug where pipelined http requests would stall (Fedor Indutny) nodejs#3342. - (Breaking) When parsing HTTP, don't add duplicates of the following headers: Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition to the following headers which already block duplicates: Content-Type, Content-Length, User-Agent, Referer, Host, Authorization, Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location, Max-Forwards (James M Snell) nodejs#3090. - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a function or a TypeError is thrown (James M Snell) nodejs#3090. - (Breaking) HTTP methods and header names must now conform to the RFC 2616 "token" rule, a list of allowed characters that excludes control characters and a number of separator characters. Specifically, methods and header names must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown (James M Snell) nodejs#2526. * node: - (Breaking) Deprecated the _linklist module (Rich Trott) nodejs#3078. - (Breaking) Removed require.paths and require.registerExtension(), both had been previously set to throw Error when accessed (Sakthipriyan Vairamani) nodejs#2922. * npm: Upgraded to version 3.3.6 from 2.14.7, see https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a major version bump for npm and it has seen a significant amount of change. Please see the original npm v3.0.0 release notes for a list of major changes (Rebecca Turner) nodejs#3310. * src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary due to the V8 upgrade. Native add-ons will need to be recompiled (Rod Vagg) nodejs#3400. * timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes a long-standing known issue where unrefed timers would perviously hold beforeExit open (Fedor Indutny) nodejs#3407. * tls: - Added ALPN Support (Shigeki Ohtsu) nodejs#2564. - TLS options can now be passed in an object to createSecurePair() (Коренберг Марк) nodejs#2441. - (Breaking) The default minimum DH key size for tls.connect() is now 1024 bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS option can be used to override the default. (Shigeki Ohtsu) nodejs#1831. * util: - (Breaking) util.p() was deprecated for years, and has now been removed (Wyatt Preul) nodejs#3432. - (Breaking) util.inherits() can now work with ES6 classes. This is considered a breaking change because of potential subtle side-effects caused by a change from directly reassigning the prototype of the constructor using `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })` to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)` (Michaël Zasso) nodejs#3455. * v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) nodejs#3351. - Implements the spread operator, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator for further information. - Implements new.target, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target for further information. * zlib: Decompression now throws on truncated input (e.g. unexpected end of file) (Yuval Brik) nodejs#2595. PR-URL: nodejs#3466
Notable changes: * buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer, these have been deprecated for a long time (Sakthipriyan Vairamani) #2859. * console: (Breaking) Values reported by console.time() now have 3 decimals of accuracy added (Michaël Zasso) #3166. * fs: - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file descriptor as their first argument (Johannes Wüller) #3163. - (Breaking) In fs.readFile(), if an encoding is specified and the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) #3485. - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding, callback) form), if the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) #3503. * http: - Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342. - (Breaking) When parsing HTTP, don't add duplicates of the following headers: Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition to the following headers which already block duplicates: Content-Type, Content-Length, User-Agent, Referer, Host, Authorization, Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location, Max-Forwards (James M Snell) #3090. - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a function or a TypeError is thrown (James M Snell) #3090. - (Breaking) HTTP methods and header names must now conform to the RFC 2616 "token" rule, a list of allowed characters that excludes control characters and a number of separator characters. Specifically, methods and header names must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown (James M Snell) #2526. * node: - (Breaking) Deprecated the _linklist module (Rich Trott) #3078. - (Breaking) Removed require.paths and require.registerExtension(), both had been previously set to throw Error when accessed (Sakthipriyan Vairamani) #2922. * npm: Upgraded to version 3.3.6 from 2.14.7, see https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a major version bump for npm and it has seen a significant amount of change. Please see the original npm v3.0.0 release notes for a list of major changes (Rebecca Turner) #3310. * src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary due to the V8 upgrade. Native add-ons will need to be recompiled (Rod Vagg) #3400. * timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes a long-standing known issue where unrefed timers would perviously hold beforeExit open (Fedor Indutny) #3407. * tls: - Added ALPN Support (Shigeki Ohtsu) #2564. - TLS options can now be passed in an object to createSecurePair() (Коренберг Марк) #2441. - (Breaking) The default minimum DH key size for tls.connect() is now 1024 bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS option can be used to override the default. (Shigeki Ohtsu) #1831. * util: - (Breaking) util.p() was deprecated for years, and has now been removed (Wyatt Preul) #3432. - (Breaking) util.inherits() can now work with ES6 classes. This is considered a breaking change because of potential subtle side-effects caused by a change from directly reassigning the prototype of the constructor using `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })` to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)` (Michaël Zasso) #3455. * v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351. - Implements the spread operator, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator for further information. - Implements new.target, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target for further information. * zlib: Decompression now throws on truncated input (e.g. unexpected end of file) (Yuval Brik) #2595. PR-URL: #3466
Fishrock123
added
the
semver-minor
|
Tagging also as minor since one commit is just additive. |
|
Just want to verify that f72e178 will not be landing in lts |
|
@thealphanerd ... this one is a special case, a variation on this will land in v4.x, v0.12 and v0.10 as part of a security fix that landed in master but not in the branches. |
|
@jasnell has the security fix landed yet? I could not find any of these commits in v4.x-staging |
This is the fix of logjam attack for a TLS client. It disable connecting to the TLS server with less than DH key size specified by a new option of
minDHkeylen. The default is 1024 bits.And it also introduces a new public API of
TLSSocket.getEphemeralKeyInfo()to show the information of an ephemeral key type, name and length of TLS connection. I think it it good for users to know them. We should prepare future vulnerabilities not only DH but also ECDH.Unfortunately openssl provided
SSL_get_server_tmp_key()on only client so that this API returns an empty object on the server.The last one is my home work from @bnoordhuis to output warning of setDHParams to console.trace().
Here is a list of logjam fix in openssl, Firefox and Chrome. I think iojs is also better to set minimum key length like this.
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
https://bugzilla.mozilla.org/show_bug.cgi?id=1138554
https://boringssl-review.googlesource.com/4813
R= @bnoordhuis @indutny