xsf / infrastructure

Resources related to the XSF infrastructure
4 stars 3 forks source link

Use Ephemeral Diffie-Hellman Keys size of 1024 instead of 2048 #8

Open deleolajide opened 4 years ago

deleolajide commented 4 years ago

xmpp.org went offline recently and came back online with the DH key size set to 2048. This caused federation with XMPP servers using a size of 1024 to fail.

In the cases for Java based XMPP servers like Openfire (which use a default value of 1024 inherited from the JVM), the error message being recieved from xmpp.org was "handshake_failure" instead of "dh key size too small" and that made debugging difficult.

Unless there is a very compelling reason, can we please use the default 1024 instead of 2048.

horazont commented 4 years ago

Hi @deleolajide,

We talked about this in the OpenFire channel I seem to recall. I agree that enforcing high security levels for a public and publicly logged service like muc.xmpp.org is only of questionable benefit (which is also why I lowered the requirements for search.jabber.network in that regard). However, for two reasons I’d like to avoid lowering the limits:

  1. The same host as muc.xmpp.org also hosts xmpp.org, which in turn offers the memberbot service. The memberbot service deals with elections and its users should be protected.

  2. muc.xmpp.org hosts (semi-)anonymous MUCs. That means that the real JIDs of occupants are normally not exposed. Hence, even muc.xmpp.org has some data which is worth protecting.

For a rough idea about the risks of using a <2048 bit DH key see also the LogJam attack and related material. There are some common 1024 bit DH groups, and those may or may not be broken already. Using a custom 1024 bit DH group has the issue that it is Hard to determine whether a group is secure or not. The trade-offs for well-known vs. random DH groups have been discussed for a while now, and AFAIK there is no clear winner. Note that once a DH group has been broken with Logjam, the attack is purely passive.

Transmitting better error messages would be desirable, but I’m afraid that is a problem with the TLS protocol which we cannot address here.

Note that this is not special to xmpp.org. Debian has raised the minimum DH key size to 2048 by default, system-wide, with the release of Debian buster.

Hence, I’m tempted to close as wontfix.

Zash commented 4 years ago

I'll try lowering the security level on xmpp:muc.xmpp.org after I test a bit elsewhere.

horazont commented 4 years ago

Though according to moparisthebest, the last Java version to only support 1024 DH was Java 7, EOL’d in 2015.

I think this might be a problem with OpenFire defaults more than anything else.

Zash commented 4 years ago

I think this might not be a problem since a configuration change a while ago that made the server prefer ECDHE over plain DHE.

guusdk commented 4 years ago

Though according to moparisthebest, the last Java version to only support 1024 DH was Java 7, EOL’d in 2015.

Although support for higher values has been added, the default values are lower.

If I'm reading the JSSE reference right, then the default for Java 8 up until the most recent release to date (14) is to use 1024 bits.