Bugzilla – Bug 4230
TLSDHParamFile directive appears ignored because unexpected DH is chosen
Last modified: 2016-03-11 15:44:44 UTC
I have configured a proftpd server with TLSDHParamFile pointing to a 4096 bit diffie hellman group. However it seems the server is not using it. I have this in the proftpd.conf: TLSDHParamFile /etc/proftpd/dh4096.pem Trying to connect with openssl: openssl s_client -connect localhost:21 -starttls ftp -cipher DHE I see this: Server Temp Key: DH, 1024 bits So it's not using the 4096 bit parameters I gave him, it uses 1024 bit parameters. Given that 1024 bit is dangerously small I consider this a security issue.
Could you provide the rest of the mod_tls configuration, and the TLSLog, please?
Created attachment 4282 [details] proftpd.conf
Created attachment 4283 [details] tls log
Attached both. The config is mostly the default config and some lines I copied from some configuration example for TLS. (I originally saw this on a server I maintain, but I could reproduce it locally.)
Would it also be possible to get the output from `openssl x509 -noout -text` for the server's configured certificate? This is relevant to the code that mod_tls currently uses for selecting the DH to use. Thanks!
Created attachment 4284 [details] certificate
Here's the full cert attached. It's just a dummy cert I created on the fly. OpenSSL output: Certificate: Data: Version: 3 (0x2) Serial Number: 13166631464917491551 (0xb6b9458ebae35f5f) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Validity Not Before: Mar 8 21:52:16 2016 GMT Not After : Dec 2 21:52:16 2018 GMT Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c8:4c:4c:6b:63:cd:c9:e7:74:04:0e:d7:c1:a0: bd:6a:4a:16:af:32:3e:d6:53:7f:09:1b:7a:72:52: 57:7c:a1:8e:00:a2:57:71:d5:17:7a:96:78:54:52: d6:a2:09:62:6f:e1:7d:b6:57:f8:5d:93:ae:52:69: 9b:1a:0b:99:b7:bd:f1:f5:c8:5f:94:6f:ba:6e:ae: db:01:9c:02:46:35:c5:50:a1:14:b0:ac:53:3f:23: 83:7d:2e:bc:a3:9f:12:83:63:c3:91:d6:e9:1d:10: 4a:cd:e2:7b:49:ab:ca:49:ad:c6:2d:2e:af:e5:f0: 51:5b:9f:31:72:1c:c6:8e:62:ab:0a:29:c3:4d:1d: 37:3b:9c:98:69:22:a0:3c:68:6a:c5:b1:99:a1:45: 00:56:44:2e:08:c3:5f:18:1d:0d:0e:f9:b5:9c:34: 0c:e5:34:0a:08:a4:a2:42:a8:6c:23:f5:34:63:92: 67:08:53:80:15:2f:b4:d8:04:13:1e:18:28:bb:3d: 7e:e8:99:5c:47:e1:c4:b3:53:f4:bc:87:ae:33:aa: 31:86:69:ae:b6:b4:c6:9e:8d:ec:e0:be:d0:47:02: 61:00:b9:95:24:f2:55:7c:4c:54:80:de:72:00:32: e5:72:69:bd:a9:72:bb:e0:dd:03:ff:2a:4d:98:8c: 29:2f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 22:36:7A:19:EA:D3:E6:A5:C2:27:85:6D:3D:A5:FF:2E:40:C0:C8:43 X509v3 Authority Key Identifier: keyid:22:36:7A:19:EA:D3:E6:A5:C2:27:85:6D:3D:A5:FF:2E:40:C0:C8:43 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 46:3f:b6:64:a6:3c:90:54:8d:f7:f3:7d:55:b3:1b:f3:91:04: ed:3c:8f:f5:cc:c1:7d:f3:fd:a3:1f:01:fc:ac:a2:46:c8:8d: 6c:06:53:04:3b:4e:d5:c6:66:bf:59:86:da:96:44:e3:4d:df: b1:58:81:c6:42:4e:af:23:fd:42:f1:0b:8d:c8:8d:97:92:8f: 44:4a:13:13:fa:92:41:40:1a:fb:d7:e5:10:f5:ee:b9:f9:52: 15:df:d9:ec:24:13:51:26:11:5d:54:dd:ed:ec:05:9e:f0:52: 8c:43:ee:98:f3:9b:ab:db:21:97:f0:c0:d9:5c:f7:3b:cc:22: 04:fb:5e:fc:ef:97:7b:7c:df:31:74:15:a3:84:59:ca:83:5d: e2:a5:bc:7e:24:4c:23:00:9e:13:d9:59:9d:fe:1a:eb:e3:d1: d7:e2:54:44:b0:18:3c:cb:7e:7e:0f:66:93:f3:dc:54:ac:5f: d5:9c:17:27:51:4c:22:ff:d3:2c:7e:2a:a2:90:5d:fd:cf:62: 54:c5:7a:2a:53:72:ee:5f:39:03:58:02:95:8d:67:e0:2e:9e: 16:d2:b6:1e:c1:de:e8:24:c5:33:d3:ea:85:35:c9:88:50:7c: a7:9c:6a:eb:e8:73:3d:b9:49:b0:9f:ad:10:8d:2a:a2:72:84: e2:53:36:88
PR to address (hopefully fix, or make better) the issue: https://github.com/proftpd/proftpd/pull/226
In my local testing, this PR seems to address the issue. Could you confirm that it works for your case as well? Thanks!
PR merged to master; fix backported to 1.3.5 branch. Thanks!
Resolved in 1.3.6rc2, 1.3.5b.
I think the bug is fixed now, after testing with 1.3.5b. But I'm a bit confused about the changelog: + SSH RSA hostkeys smaller than 2048 bits now work properly. Actually the first server I observed this had a 4096 bit key (and gave out a 1024 bit DH exchange). From what I can see there is no difference in this bug depending on the RSA key size, it's just always using DH 1024. No big thing, but I thought I'd want to notice that the changelog is odd. Anyway, it seems 1.3.5b does the right thing in all situations.
> I think the bug is fixed now, after testing with 1.3.5b. But I'm a bit confused > about the changelog: > > + SSH RSA hostkeys smaller than 2048 bits now work properly. That refers to a different issue in the mod_sftp module. I was in a bit of a hurry to do a release yesterday, and did not mention everything in the release notes; I'll get those fixed up today. Thanks!