icinga2 icon indicating copy to clipboard operation
icinga2 copied to clipboard
verified publisher icon Icinga

TLS: custom DH parameters

Open Al2Klimov opened this issue 2 years ago • 4 comments

Is your feature request related to a problem? Please describe.

As of #9811 Icinga uses publicly well-known pre-computed DH parameters.

Describe the solution you'd like

As OpenBSD says: if something can be random, make it random.

Describe alternatives you've considered

Let it as-is. Not a security problem, but we ca do "better" than status quo.

Additional context

https://github.com/Icinga/icinga2/pull/9811#issuecomment-1841566043

Al2Klimov avatar Dec 06 '23 11:12 Al2Klimov

Things to consider

bash-3.2$ set -x; for b in 4096 3072 2048 1024 512; do time openssl dhparam -out `mktemp -d`/dhp $b; done
+ for b in 4096 3072 2048 1024 512
++ mktemp -d
+ openssl dhparam -out /var/folders/c2/k37yy5v51qzd5_rfrwd_sd7r0000gn/T/tmp.b5M8ivlD/dhp 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
...............................................................+......................................................................................................................................................................................................................................................................................................................................+..................................................................................................................................+........................................................................................................................................................................................+..............................................................................................................................................................................................................................................................................................................................................+................+......................+..............................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................................................................................................+..........................+......................................................................................................................................................................................................................................+...............................................................................................................................................................+...........................+............................................................................................................................................................................................................................................................................................................................................................................................................................................+..................................................................................................................................................................+...........................................................+...............................................................................................................+...........................................+............................................................................................................+...........................+..................................................................................................................................................................................................................................................................................................................................................................................................................+.............+......................................................+.............................................................+.....................................................................................................+.............................................................................................................+....................................................................+.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...............+.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..............................+...............................................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................................................................................................+...............................................................................................................................................................+................................................................+.......................................................................................+...................................................................................+.....+...................................................................................................................................................+......................................................................................................................................................................................................................................................................................................................................................................................................................................+................................................................................................................................................................................................................................................................................................................................+................................................................................................................................................................................................................................................................................................................................................................................+.......................................................................+...........................................................................................................................................+......................................+........................................+.......................................................................................................................................................................................................+........+.................................................................................................+................................................................................................................................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..........................+.............+...........................................................................................................................................................................................................................................................................................................................+............................................................................................+...........+..............................................+..........................................................................+.............................................................................................................................................................................................+....................................................................................................+.................................................................................................................................................................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...................................................................................................................................................................................................+..................................................................................+................................................................................................+..............................................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................+................................................................................................................................................+...............................................................................................................................................................................+...............................................................................................................................+......................................................................................................................+................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...................................................................................................+....................+.................................................................................................................+.......................................................+...............+.....................................................................................................+...........................................................................................................................+.........+.................+..........................................................................................................................+...........................................................+......+.....................................................................................................................................................................................+........................................................................................................................+................................................................................................+...................................................................................................................................................................................................+...........................................+.............................................................................................................................+..+.......................................................................................................+......................................................................+..................................................................................................................................................................................................................................................+..............................................................................................................................................................................................................................................+......................................................+.........................................................................................................................................................................................................................................................................................................................................................................................................+........................+.......+......................................+........................................................................................+............................................+...............................................................................................................+.........................................................................................................+.....................+..........................................................+.............................................................................................................................................................................................................................+.............................................................................................................................................................................................................................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.....................................................................................................................................+.........................................................................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................+.....................................................................+...................................................................................+.........................+............................................................................................................................................................................................................................+.....+................................................................................................................................................................................................................+...................+...........................................................................................................................................................................................................................................................+...........................................................................................................................................................................................................................+......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...............+................................+..............................................................................................................................................................................................................................................................+...................................................................................................................................................................................................................+..................+............................................................................................................................................................................................................................................................................................................+........................................................................................................................................+..............................................................................................................................................................................+.....................................................................+..........................................................................................+...................................................................+.......................................................................................................................+..............................................................................................................................+.............................................................................................................................................................................................................................................................................+.........................+.................................+................................................................................................+..............................+.................................................................................................................................+.......................................................................................+............................................................................................................................................................................................................................................................................................................................+...........................................................................................................+.+...............................................................................................................................................................................................................................................................................+.....................................................................+.....................................................................................................+............................................................................................................................................................................................................................................................................................................................................................................................+..................................................................................................................................................................................................................................................................................................................................................+.........+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...................................................................................................+...........................................................+.....................................+................................................................................................................................+.................................................................................................+..................................................................................................................................................................................................................................................................+..............................................................+..............................................................................................................................................................+.............................................................................................................................................................................................+......................................................................................................................................................................................................................................+....................................+..........................................................................................................................................................................................................................................................................................+..........................................................................................................................................................................+..........................................................................................................................................................................+.................................................+..............................................................................................................................................................................................................................................................................................................................................................................................+................................................................................................................................................................+...........+.........................+.............................................................................................................+...........................................................+..................................................................................................................................................................................................................................................................+...................................................................................................................................................................................................+...............................................................................................................................+...+.....+..........................................................................+...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..........................+.....+.......................................................................................................................................................................................................................................................................................................................+......................................................................................................................................................................................................................................................................................................+.........................................................................................................+.................................................................................................................................................................+................................................................................................................................................................................................+..............................................................................................................................................................................................................................................................................................................................................................................+...........................................................................................................................+...............................................................................................+....................................................+.................+...................................................................................................................................+..................................................................................................................+......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................................................................................................+.........+................................................................................................................................................................................................................................................................................................................................................................+................................................................................................................................+.......................................................................................................................................................................................................................................................................................................................................+.................+...........+..........................+...................................................................................................................................................................................................................................................................................................+...+................+...................................+.....................................................................+......................................................................................................+.........+....................................................................................................................................................................+.................................................................................................................+................................................................+....................................................................................................................+...................................................+...............................................................................................................................................................................................................................................................................................................................+................................+....................................................+...............+.....................................................................................................................................................................................................................................................................................................+...................................................................................................................................................................................+......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...............................................................................................................+..................................................................................................................................................................................................................................................................................+...+......................................................................................................................................+............................................................................................+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.................................................................................................................................................................................................................................................+...............................+....................+................+...................................................................+...............................................................+....................................................................................................................................................................................................................................................................................................................+..........................................................................+............................+.......................................................................+.........................+................................................................................................................................................................+.....................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................+......................................................................................................................................................................................................................................................................+....+.................................................................+.................................................+..........................................................+...........................................................+.....................................................................+..+.+.............................................................................................................................................................................................................................................................................................................................................................+...............................................+..............................................................................................................................................................................................+......................................+.................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................................................................................................................................................................................................................................................................................+...............................................................................................................................................................................................................................................................................................................................................+....................................................................................................................+..........................................................+..............................................................................................................................................................................................+........................................................................................................+........+.....+................................................................+............+..................................................................................................................................................................................................................................................................................................................................................................................................+..........................+....................................................+...................................................................+.......................................................................................................................................................................................................................................................................................................................................................................................................+.......................................................+.................................................................................................................................................................................................................................................................................+..............................................................................................................................................................................................................+....................................................+..................................................................................................................................................................................................................................................................................................................................+......................................................................................................................................................................................................................................+...................................................................................................................................................................................+........................................................................+.......................................................................................................................................+...................................................+..............................+......................................................+.........................................................................+..............................+..............................+......................................................+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++*++*++*

real	27m30.612s
user	26m29.741s
sys	0m16.221s
+ for b in 4096 3072 2048 1024 512
++ mktemp -d
+ openssl dhparam -out /var/folders/c2/k37yy5v51qzd5_rfrwd_sd7r0000gn/T/tmp.VZ7cptiF/dhp 3072
Generating DH parameters, 3072 bit long safe prime, generator 2
This is going to take a long time
..............................................+........................................................................................................................................................................................................................................................................................................................+...................................................................................................................................+....................................................................................................................+.+...........................................................................................................................................................................+............+.................................................................................................................................+.............................................+..........................................................................................................................................................................+........................................................+...................................+........................................................................................................................................................................................................................................+............................................................................................................+..................+........................................................................................................................................................................................+.......................................................................................+.......................................................+.........................................................................................................................................+.......................................................................................................................................................................................................+.........+..........+...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+........................................................................................................................+..............................................................+..............................................................................................................................................................................................................................................................................................................+...................+....................................................................................................................................................................................+................................................+.................................................................+............................................................................................+...................+.....................................................................................................................................+................................................................+........................................................+......................................................+.....................................................................................+......................................................................+..............................................................................................................................................................................................................................................................................................................................................................................................+...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+............................+..+.......................................................................................................................................................................................................................................+................................................................................................................................+...............................................+..........................................................................................................................................................................................................+.............................................................................................................................................................................................................................................................................+...........................................................................................................................................................................................................................................................................................................................................................................................+.............................................+...........................................................................................................................................................+.........+.........................................................................................................................................................................+.....................+............................................................................................................................................................................+.................................+..................................................+....................................................................................................+................................................+............................................................................................................................................................................................................................................................................+..............................................................................................................................................................................................+..............................................................................................................................................................................................+.............................................................................................................................................................................................................................................................................................................................................................+.....................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+......................................................................................................................................+..........+....................................................................................................+......................................................................................................................................................................+.+.........................................................................................................................................................................................................................+.........................................................................................................................................................................+.......................................................................................................................................+...............................................................+......................+...................................................................+.........................................+.....................+..............................................+.....................................................+..................................................................................................+.....................................................................................+........................................+............................................................................................................................................................+..............+........................................................................................................................+...................................................................................................................................................+.+.........................................................................................................................................+...........................................................................................................................................................................................................................................+....................................................................................................................+..............................................................................................................................................................................+.............................................+...........................................................................................................................................................................................................................................+......................+.....................................................................................................................+...................................................................................+........+.............................................................................................................................................................................................................................................+...............................................................................................................................................................+...................................+.............................+..........................................................................................................................................................................................................................................................................+...................................................................................................................................................................................................+........................................................................................................................................................................................................+.........................................................+..............................................................................................................................................................................................................................+.................................................................................................+...........................................................................................................................................................................................+...................................................................................................................................................................................................................................................................................+............................................................................................................+.............................................................................................................................................................................................+..........................................................................................................................................................................+..........................................................................................................................................................+....+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.....................................................+..................+................................................................................................................................................................................................................+................................................................................................................................................................+.......................................................................+...........................................................................................................................................................................................................+........................+.......................................................................................................................................+..........................................................................................+.....................+....................................................................................+...........................................................................................................+......................................................................................................................................................................+............................................................................................+..............................................................................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................................................+..........................................................+................................................................................................+...................................................................................+...............................................................................................................................+.................................................................................................................................................+....................................................+..................++*++*++*++*

real	4m57.308s
user	4m51.402s
sys	0m2.457s
+ for b in 4096 3072 2048 1024 512
++ mktemp -d
+ openssl dhparam -out /var/folders/c2/k37yy5v51qzd5_rfrwd_sd7r0000gn/T/tmp.oMzosBgi/dhp 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................................................................................+...............................................................+.........................................................................................................+.............................................................+.....................................................................................................................................................................................................................................................................+....................................+..................................................................................................................................................................................+................+.......+.................................................................................................................................................+.....................+................................................................................+................................................+.......................................................................................................................................................................................................................................................................................+.........................................................................................................................+....+..................................................................................................+.................................................................+.......................................................................................................................................................................+.....................+.......................................+.....................................................................+......+........................................................................................................................................................................................................................................................+..............................................................................................+...................................................................................................+.......+............................+.............................................................................................................................................................+..........+..............................................................................................................................+........................................................................+....................+.....+..............+...........................................................+................................+......................................................................................................................................................................................................................................................+........+.....................................................................................................+..................................................................+......................................+.....................+..................................................................................................+.........................................................................................+.............................................+..........+...............................................................................................+........................................................+.............................+.............++*++*++*++*

real	0m24.250s
user	0m23.922s
sys	0m0.159s
+ for b in 4096 3072 2048 1024 512
++ mktemp -d
+ openssl dhparam -out /var/folders/c2/k37yy5v51qzd5_rfrwd_sd7r0000gn/T/tmp.ZCFRf7tE/dhp 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................................................................................................+................................+....................................................+.+..................................................................+........................+.......................................................................................+.......................+.............................................................................+....................................................................................+.......................................................................+.................................................................+........+.....+......+..+................................................................+.............................................+...+.........................+..........+..................................+.....................+.........................................+.............................................................+......................................+..........+................+........................................+............................................................................................................................................................+...............................................................+..............................................+.......................................................................+...+..............+..................................+.................................................................+................................................................................................................................................................................................................................................+....................................+................+...............................................................+....+.......................................................................+.........+............................................................+................+.................................................................+.......................+.............+......+.....................................+............+..............................................................................................................+...............................+.....+............+..............................................+............................................+..................+..........+..........+..................................................................................................................................................................................................+................+......+...................................................+...........................+........+........................+............+...........................+.....................+.............................................................................+........................................................+....................................................+.........+.+...........................+.....................+...........+..........................................+...........................+.............................................................+.........................++*++*++*++*++*

real	0m4.871s
user	0m4.715s
sys	0m0.078s
+ for b in 4096 3072 2048 1024 512
++ mktemp -d
+ openssl dhparam -out /var/folders/c2/k37yy5v51qzd5_rfrwd_sd7r0000gn/T/tmp.fQNTVlIw/dhp 512
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
........+....+...+....+................+..............................................................+........+...........+..........+..........................+......+..............+.......+..................+..........+..........................+.......++*++*++*++*++*

real	0m0.132s
user	0m0.115s
sys	0m0.010s
bash-3.2$

Al2Klimov avatar Dec 08 '23 12:12 Al2Klimov

Things to also consider

As generating DH parameters is extremely time consuming, an application should not generate the parameters on the fly. DH parameters can be reused, as the actual key is newly generated during the negotiation.

Typically applications should use well known DH parameters that have built-in support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto() configure OpenSSL to use the default built-in DH parameters for the SSL_CTX and SSL objects respectively. Passing a value of 1 in the onoff parameter switches the feature on, and passing a value of 0 switches it off. The default setting is off.

– https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_dh_auto.html

Al2Klimov avatar Dec 11 '23 15:12 Al2Klimov

Oh! They even have pre-computed 8k params: https://github.com/openssl/openssl/blob/986c48c4eb26861f25bc68ea252d8f2aad592735/ssl/t1_lib.c#L3370-L3402

Al2Klimov avatar Dec 11 '23 15:12 Al2Klimov

Typically applications should use well known DH parameters that have built-in support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto() configure OpenSSL to use the default built-in DH parameters for the SSL_CTX and SSL objects respectively.

Which is exactly what we do right now (at least if the OpenSSL version supports it):

https://github.com/Icinga/icinga2/blob/420db1565bc44b72c7d15e113d7fa5b2f8fa78f0/lib/base/tlsutility.cpp#L112

Also, keep in mind that, our default cipher string prefers ECDHE over DHE, so whatever we would do wouldn't even affect the majority of connections (if the client supports ECDHE, it will be used):

https://github.com/Icinga/icinga2/blob/420db1565bc44b72c7d15e113d7fa5b2f8fa78f0/lib/base/tlsutility.hpp#L31

julianbrost avatar Dec 11 '23 16:12 julianbrost