DH is always set to 1024bit even if the cert keysize is >1024bit

Question

DH is always set to 1024bit even if the cert keysize is >1024bit

Opened this issue 9 years ago · 4 comments

Hi,
After implementing tlsinterposer on ejabberd, the results on xmpp.net for testing the SSL protocols and ciphers always shows that DH is 1024bit. I have check my certificate which is 4096bits and according to the code I believe it checks for cert keysize in order to generate the DH.

I need to increase the DH size because DH prime 1024bit is vulnerable to TLS-Logjam attack.

Thanks!

Answer 1 · 2015-11-05T15:17:43.000Z

@Shoaibr are You sure it's the tlsinterposer bug? Are You using ejabberd 15.x? If Yes, I think You need to generate DT with 4096 bits and set path to it in ejabberd.yml. Btw. tlsinterposer is not longer needed for ejabberd never than 2.1.x.

Answer 2 · 2015-11-05T15:24:01.000Z

I am still using ejabberd 2.1.x due to some custom modules written for it and can't migrate to the new version any sooner. So just looking for a work around for this :)

Answer 3 · 2015-11-12T08:49:37.000Z

For testing, if we change the return DH in ssl_callback_TmpDH function to get_dh2048() in any keylen case as following, even then also the DH is set to 1024bit on server:

static DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
....
....
else if (keylen >= 2048)
return get_dh2048();
else
return get_dh2048();
}

Does this mean this has no effect on choosing the DH size?

Answer 4 · 2015-11-14T19:14:03.000Z

After my recent upgrade from Debian Wheezy (7/oldstable) to Debian Jessie (8/stable) I failed to get 4096 bit DH params with tlsinterposer, which was working out of the box before. I also altered the code to only return 4096, to no avail. Using dhfile with ejabberd is possible since version 15.06, but unfortunately Jessie only ships with ejabberd 14.07.