This repository was archived by the owner on Apr 22, 2023. It is now read-only.
This repository was archived by the owner on Apr 22, 2023. It is now read-only.
Limit use of small DH keys in Node #25562
Description
This is to close on the related issues mentioned in:
The summary over the overall mitigation is:
- update to openssl-1.0.1o, this will protect the tls client, unfortunately there will be no way to revert to previous behavior and will prevent users who have upgraded from connecting to servers using a smaller key than 768 (DONE in 0.10.39 and 0.12.5)
- To add protection on the server side, pull in tls: make server not use DHE in less than 1024bits for fix agaist Logjam Attack node#1739 but add an option/env variable to revert to previous behavior. This is secure by default but minimizes breakage in the LTS streams but providing a way out if necessary. From earlier comments seems like this is only needed for 0.12.X
- Leave out Add a new option to limit DH key size in tls connect node#1831 as we already have protection for the client from the openssl upgrade and it depends on some functionality not available in openssl-1.0.1. 1831 will be in place for the next major node stream.
- drop modp1 (option 1 in Remove (or discourage) small DH groups in crypto.getDiffieHellman #25366, limited to modp1) and use the same option/env variable to allow a revert to previous behavior
- update the docs to suggest avoiding sizes less than 2048 as suggested in
Remove (or discourage) small DH groups in crypto.getDiffieHellman #25366
So the remaining issues to complete are:
- Remove (or discourage) small DH groups in crypto.getDiffieHellman #25366 (for 0.10.X and 0.12.X)
- tls: make server not use DHE in less than 1024bits for fix agaist Logjam Attack node#1739 - updated to have command line/env variable to back out. (Applies only to 0.12.X)
This issue will track getting those two done for the next release.