freebsd security - May 2015 - LogJam exploit can force TLS down to 512 bytes, does it affect us? ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 05/20/15 14:40, Julian H. Stacey wrote:
> Hi security at freebsd.org
Please note that security at freebsd.org = secteam at freebsd.org.  Since
this is posted to ports@ which is public, I'm assuming it's not
intended to be in private.
> (& bcc'd a couple of friends)
> 
> Refa: http://www.bbc.com/news/technology-32814309 (posted 5 hours
> before Wed May 20 23:01:22 CEST 2015) 
> http://www.theregister.co.uk/2015/05/20/logjam_impact/ 20 May 2015
> at 16:29
> 
> Does it affect FreeBSD ?  If so, I guess security-officer@ will 
> already be drafting a notification; If not, might it be good PR 
> anyway to put out a brief summary / statement on a mail list or web
> page ?
Well, currently OpenSSL do accept weak DH so _arguably_ it does affect
FreeBSD, and it's likely to break existing applications if we enforce
such restrictions (namely, Java 6).

However, system administrator should always follow best practices,
like disabling export grade ciphers, use ECDHE and generate their own
DH parameters when they implemented PFS.

Recommended for system administrators:

1. Check if any of export grade cipher is enabled (here we used port
443, https as example, and it can be used for other TLS enabled
services).  This can be checked by doing:

	openssl s_client -connect www.example.com:443 -cipher 'EXPORT'

If the connection was successful, then the server supports export
grade cipher should be disabled immediately.

2. Make sure that ECDHE is supported.

	openssl s_client -connect www.example.com:443 -cipher 'ECDH'

And the connection should succeed.

3. Make sure you are using unique DH parameters, and configure it in
the server.

To generate a 2048-bit DH parameter and save as dhparams.pem:

	openssl dhparam -out dhparams.pem 2048

The document at https://weakdh.org/sysadmin.html gives additional
information for individual daemons, including Apache (mod_ssl), nginx,
lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.

I personally find Qualys SSL Labs' SSL/TLS Deployment Best Practices a
good reading, by the way.  It can be found at:

	https://www.ssllabs.com/projects/best-practices/

Cheers,
- -- 
Xin LI <delphij at delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.4 (FreeBSD)

iQIcBAEBCgAGBQJVXQ83AAoJEJW2GBstM+nsrWMP/3ewU18rj/imD8s2ATtgWFMD
WmmaHgGyjqrVd8RyZBRIvsgPYlS2G0gPL2KP3GoeOeyU2dEkGEhvI4cvvpWoqUFW
rpY7AxtXQWOKRxY5PVtpU1siuczJ1Na/ypy28y1Dw0CGTf1Ul8rEzrent0kNsQ7b
NXD0hZojAhBiMO0XLb3bJqElviz11yDXPou1X12ZkueStP7DGquN081oLWZ4y8+j
19qSqdwkx8OsNLpnD9IUo5RoY5TvxNG53ZgDoGXwKWda8BnswRpDgSs3H2M/OKya
cKO7B9VWtIyJnbH5oVsv3VLi7o1n8weitGg1rWpKewZ1caiG+G1c9SmgAeSG1Egm
cuy4HV2btCxqSvLJRwAQ7Jbpc/SVnUTWZNrrI8YP7ug3/tzRTat0RpbdhxF3bqbM
hK8Pe2zpK6nIBNFhcoJ+CkhE3fW1IOEthSLBkJPgcb0U7mET0Z8kpWNLeJOuh5yJ
5o3ooLap+UtVlv25nQOODQecuNuvBFr0Mx67S4+jgmtUYqe9nFp1AjmPPvntN1GQ
sUzqMB7eAtSsxoQbHHGqF74zKk8BbfgqROUbEvcZ4kOsInN/GZ/iaPMUPu8KtieE
/ASdpwpxUfbZtu+Vs5fveWSiWmtiz3k1n7JzCWenXkLYW9KUn40fxv/mh7j76lYs
Am30LtLxtiZNw59cn2H6
=KtLx
-----END PGP SIGNATURE-----

Xin Li wrote:
> On 05/20/15 14:40, Julian H. Stacey wrote:
> > Hi security at freebsd.org
> 
> Please note that security at freebsd.org = secteam at freebsd.org.  Since
> this is posted to ports@ which is public, I'm assuming it's not
> intended to be in private.
Yes, correct, thanks Xin Li, 
  (Sorry I forgot that lack of naming alias, different to other
  [freebsd-](hackers|current|ports)@freebsd.org lists).

Thanks for the quick response :-)

PS I checked some finance sites (random, OS unknown) from a FreeBSD client,
all failed with 'EXPORT', just 2 responded OK with 'ECDH'

Cheers,
Julian
--
Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com
	Indent previous with "> ".	Reply Below as a play script.
	Send plain text, Not quoted-printable, HTML, or base64.

Hi,
> The document at https://weakdh.org/sysadmin.html gives additional
> information for individual daemons, including Apache (mod_ssl), nginx,
> lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.
> 
Unfortunately the documentation does only offer guidance for Apache 2.4.
As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config
parameter,
I've created a "rather ugly but seems to work" workaround for
Apache 2.2,
which switches the pre-shipped default 512/1024 bits DH parameters to a
set of self-generated 2048/3072 bit DH params. There is also a quick and
dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, 
that automagically applies the workaround. It can be found here:
http://nop.li/dy


Winni

On 05/20/15 23:48, Xin Li wrote:
> The document at https://weakdh.org/sysadmin.html gives additional
> information for individual daemons, including Apache (mod_ssl), nginx,
> lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.
The part of that https://weakdh.org/ site that concerns me most is the
statement about 25.7% of SSH servers being vulnerable if the 1024bit D-H
group is broken.  We've got pretty good instructions for hardening
anything that uses TLS against this attack, but not a lot on SSH.  About
the only relevant thing I've found is:

  http://blog.mro.name/2015/05/hardening-ssh-debian-wheezy/

which inter-alia suggests upgrading to OpenSSH-6.6 -- which has been in
FreeBSD-10 since March ---, modifying some config parameters:
KexAlgorithms, Ciphers, MACs and then regenerating ed25519 and rsa host
keys.  Err... what? How are ed25519 and rsa host keys affected by a
downgrade attack on Diffie-Helman?

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150521/3d161ee1/attachment.sig>