MEDIUM: ssl: Disable DHE ciphers by default

DHE ciphers do not present a security risk if the key is big enough but they are slow and mostly obsoleted by ECDHE. This patch removes any default DH parameters. This will effectively disable all DHE ciphers unless a global ssl-dh-param-file is defined, or tune.ssl.default-dh-param is set, or a frontend has DH parameters included in its PEM certificate. In this latter case, only the frontends that have DH parameters will have DHE ciphers enabled. Adding explicitely a DHE ciphers in a "bind" line will not be enough to actually enable DHE. We would still need to know which DH parameters to use so one of the three conditions described above must be met. This request was described in GitHub issue #1604.
2024-12-27 15:12:11 +00:00 · 2022-04-12 11:31:55 +02:00 · 2022-04-12 11:31:55 +02:00 · 1d6338ea96
commit 1d6338ea96
parent 528b3fd9be
4 changed files with 55 additions and 84 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1960,9 +1960,10 @@ ssl-dh-param-file <file>
  which do not explicitly define theirs. It will be overridden by custom DH
  parameters found in a bind certificate file if any. If custom DH parameters
  are not specified either by using ssl-dh-param-file or by setting them
-  directly in the certificate file, pre-generated DH parameters of the size
-  specified by tune.ssl.default-dh-param will be used. Custom parameters are
-  known to be more secure and therefore their use is recommended.
+  directly in the certificate file, DHE ciphers will not be used, unless
+  tune.ssl.default-dh-param is set. In this latter case, pre-defined DH
+  parameters of the specified size will be used. Custom parameters are known to
+  be more secure and therefore their use is recommended.
  Custom DH parameters may be generated by using the OpenSSL command
  "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
  parameters should not be considered secure anymore.
@ -2925,11 +2926,14 @@ tune.ssl.default-dh-param <number>
  the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
  final size will try to match the size of the server's RSA (or DSA) key (e.g,
  a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
-  this maximum value. Default value if 2048. Only 1024 or higher values are
-  allowed. Higher values will increase the CPU load, and values greater than
-  1024 bits are not supported by Java 7 and earlier clients. This value is not
-  used if static Diffie-Hellman parameters are supplied either directly
-  in the certificate file or by using the ssl-dh-param-file parameter.
+  this maximum value. Only 1024 or higher values are allowed. Higher values
+  will increase the CPU load, and values greater than 1024 bits are not
+  supported by Java 7 and earlier clients. This value is not used if static
+  Diffie-Hellman parameters are supplied either directly in the certificate
+  file or by using the ssl-dh-param-file parameter.
+  If there is neither a default-dh-param nor a ssl-dh-param-file defined, and
+  if the server's PEM file of a given frontend does not specify its own DH
+  parameters, then DHE ciphers will be unavailable for this frontend.

 tune.ssl.ssl-ctx-cache-size <number>
  Sets the size of the cache used to store generated certificates to <number>
--- a/include/haproxy/defaults.h
+++ b/include/haproxy/defaults.h
@ -354,7 +354,7 @@

 /* ssl max dh param size */
 #ifndef SSL_DEFAULT_DH_PARAM
-#define SSL_DEFAULT_DH_PARAM 2048
+#define SSL_DEFAULT_DH_PARAM 0
 #endif

 /* max memory cost per SSL session */
--- a/reg-tests/ssl/ssl_dh.vtc
+++ b/reg-tests/ssl/ssl_dh.vtc
@ -2,9 +2,10 @@

 # This reg-tests checks that the DH-related mechanisms works properly.
 # When no DH is specified, either directly in the server's PEM or through a
-# ssl-dh-param-file global option, in case of DHE negotiation, the hard coded
-# DH parameters included in the sources will be used. We will use DH parameters
-# of the same size as the server's RSA or DSA key.
+# ssl-dh-param-file global option, and no tune.ssl.default-dh-param is defined,
+# DHE ciphers are disabled.
+# If a default-dh-param is defined, we will use DH parameters of the same size
+# as the server's RSA or DSA key, or default-dh-param if it is smaller.
 # This test has three distinct HAProxy instances, one with no DH-related option
 # used, one with the tune.ssl.default-dh-param global parameter set, and one
 # with an ssl-dh-param-file global option.
@ -123,8 +124,8 @@ haproxy h3 -conf {
 client c1 -connect ${h1_clearlst_sock} {
  txreq
  rxresp
-  expect resp.status == 200
-  expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
+  # No DH parameters are defined, DHE ciphers are unavailable
+  expect resp.status == 503
 } -run

 client c2 -connect ${h2_clearlst_dfltdh_sock} {
@ -144,18 +145,11 @@ client c3 -connect ${h3_clearlst_dhfile_sock} {
 client c4 -connect ${h1_clearlst_sock} {
  txreq -url "/gencert"
  rxresp
-  expect resp.status == 200
-  expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
+  # No DH parameters are defined, DHE ciphers are unavailable
+  expect resp.status == 503
 } -run


-#
-# Check the size of the DH key
-#
-shell {
-    echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 2048 bits"
-}
-
 # On the second HAProxy instance, even if default-dh-param is set to 4096, this
 # value is only considered as a maximum DH key length and we will always try to
 # match the server's certificate key length in our DHE key exchange (2048 bits
@ -168,11 +162,6 @@ shell {
    echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dhfile.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
 }

-shell {
-    echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt_gencert.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 2048 bits"
-}
-
-

 #
 # Add a custom DH to the server's PEM certificate
@ -191,6 +180,8 @@ shell {

 #
 # Check that all the SSL backend <-> SSL frontend connections still work
+# Common.pem now contains DH parameters so the first instance's frontends
+# can now use DHE ciphers.
 #
 client c5 -connect ${h1_clearlst_sock} {
  txreq
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -3215,8 +3215,6 @@ static void ssl_sock_set_tmp_dh_from_pkey(SSL_CTX *ctx, EVP_PKEY *pkey)
 		if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh))
 			HASSL_DH_free(dh);
 	}
-	else
-		SSL_CTX_set_dh_auto(ctx, 1);
 }
 #endif

@ -3421,14 +3419,8 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 		if (!ssl_sock_set_tmp_dh(ctx, dh)) {
 			memprintf(err, "%sunable to load the DH parameter specified in '%s'",
 				  err && *err ? *err : "", path);
-#if defined(SSL_CTX_set_dh_auto)
-			SSL_CTX_set_dh_auto(ctx, 1);
-			memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
-				  err && *err ? *err : "");
-#else
 			memprintf(err, "%s, DH ciphers won't be available.\n",
 				  err && *err ? *err : "");
-#endif
 			ret |= ERR_WARN;
 			goto end;
 		}
@ -3443,14 +3435,8 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 		if (!ssl_sock_set_tmp_dh(ctx, global_dh)) {
 			memprintf(err, "%sunable to use the global DH parameter for certificate '%s'",
 				  err && *err ? *err : "", path);
-#if defined(SSL_CTX_set_dh_auto)
-			SSL_CTX_set_dh_auto(ctx, 1);
-			memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
-				  err && *err ? *err : "");
-#else
 			memprintf(err, "%s, DH ciphers won't be available.\n",
 				  err && *err ? *err : "");
-#endif
 			ret |= ERR_WARN;
 			goto end;
 		}
@ -3459,7 +3445,11 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 		/* Clear openssl global errors stack */
 		ERR_clear_error();

-		if (global_ssl.default_dh_param && global_ssl.default_dh_param <= 1024) {
+		/* We do not want DHE ciphers to be added to the cipher list
+		 * unless there is an explicit global dh option in the conf.
+		 */
+		if (global_ssl.default_dh_param) {
+			if (global_ssl.default_dh_param <= 1024) {
 				/* we are limited to DH parameter of 1024 bits anyway */
 				if (local_dh_1024 == NULL)
 					local_dh_1024 = ssl_get_dh_1024();
@ -3474,14 +3464,8 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 				if (!ssl_sock_set_tmp_dh(ctx, local_dh_1024)) {
 					memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
 						  err && *err ? *err : "", path);
-#if defined(SSL_CTX_set_dh_auto)
-				SSL_CTX_set_dh_auto(ctx, 1);
-				memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
-					  err && *err ? *err : "");
-#else
 					memprintf(err, "%s, DH ciphers won't be available.\n",
 						  err && *err ? *err : "");
-#endif
 					ret |= ERR_WARN;
 					goto end;
 				}
@ -3494,6 +3478,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 #endif
 			}
 		}
+	}

 end:
 	ERR_clear_error();
@ -4828,21 +4813,12 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 #endif

 #ifndef OPENSSL_NO_DH
-	if (global_ssl.default_dh_param >= 1024) {
-		if (local_dh_1024 == NULL) {
+	if (!local_dh_1024)
 		local_dh_1024 = ssl_get_dh_1024();
-		}
-		if (global_ssl.default_dh_param >= 2048) {
-			if (local_dh_2048 == NULL) {
+	if (!local_dh_2048)
 		local_dh_2048 = ssl_get_dh_2048();
-			}
-			if (global_ssl.default_dh_param >= 4096) {
-				if (local_dh_4096 == NULL) {
+	if (!local_dh_4096)
 		local_dh_4096 = ssl_get_dh_4096();
-				}
-			}
-		}
-	}
 #endif /* OPENSSL_NO_DH */

 	SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);