Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Ephemeral Diffie-Hellman Keys size of 1024 instead of 2048 #8

Open
deleolajide opened this issue Apr 4, 2020 · 5 comments
Open

Comments

@deleolajide
Copy link

xmpp.org went offline recently and came back online with the DH key size set to 2048. This caused federation with XMPP servers using a size of 1024 to fail.

In the cases for Java based XMPP servers like Openfire (which use a default value of 1024 inherited from the JVM), the error message being recieved from xmpp.org was "handshake_failure" instead of "dh key size too small" and that made debugging difficult.

Unless there is a very compelling reason, can we please use the default 1024 instead of 2048.

@horazont
Copy link

horazont commented Aug 11, 2020

Hi @deleolajide,

We talked about this in the OpenFire channel I seem to recall. I agree that enforcing high security levels for a public and publicly logged service like muc.xmpp.org is only of questionable benefit (which is also why I lowered the requirements for search.jabber.network in that regard). However, for two reasons I’d like to avoid lowering the limits:

  1. The same host as muc.xmpp.org also hosts xmpp.org, which in turn offers the memberbot service. The memberbot service deals with elections and its users should be protected.

  2. muc.xmpp.org hosts (semi-)anonymous MUCs. That means that the real JIDs of occupants are normally not exposed. Hence, even muc.xmpp.org has some data which is worth protecting.

For a rough idea about the risks of using a <2048 bit DH key see also the LogJam attack and related material. There are some common 1024 bit DH groups, and those may or may not be broken already. Using a custom 1024 bit DH group has the issue that it is Hard to determine whether a group is secure or not. The trade-offs for well-known vs. random DH groups have been discussed for a while now, and AFAIK there is no clear winner. Note that once a DH group has been broken with Logjam, the attack is purely passive.

Transmitting better error messages would be desirable, but I’m afraid that is a problem with the TLS protocol which we cannot address here.

Note that this is not special to xmpp.org. Debian has raised the minimum DH key size to 2048 by default, system-wide, with the release of Debian buster.

Hence, I’m tempted to close as wontfix.

@Zash
Copy link
Member

Zash commented Aug 11, 2020

I'll try lowering the security level on xmpp:muc.xmpp.org after I test a bit elsewhere.

@horazont
Copy link

Though according to moparisthebest, the last Java version to only support 1024 DH was Java 7, EOL’d in 2015.

I think this might be a problem with OpenFire defaults more than anything else.

@Zash
Copy link
Member

Zash commented Aug 11, 2020

I think this might not be a problem since a configuration change a while ago that made the server prefer ECDHE over plain DHE.

@guusdk
Copy link

guusdk commented Aug 12, 2020

Though according to moparisthebest, the last Java version to only support 1024 DH was Java 7, EOL’d in 2015.

Although support for higher values has been added, the default values are lower.

If I'm reading the JSSE reference right, then the default for Java 8 up until the most recent release to date (14) is to use 1024 bits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants