lua-http icon indicating copy to clipboard operation
lua-http copied to clipboard

Published 20 hours ago verified publisher icon daurnimator

Refuse weak DH groups

Open KellerFuchs opened this issue 8 years ago • 4 comments

There are at least two kinds of weak DH groups that lua-http silently accepts:

I'm not sure whether OpenSSL can check for those at all.

KellerFuchs avatar Dec 15 '16 15:12 KellerFuchs

I'm not sure how to check these... https://github.com/chromium/badssl.com/issues/40 indicates that I should check the DH parameters.

I can't see in the OpenSSL API how to get the DH params (I'd preferably want them as an EVP_PKEY*) out of an SSL*; anyone able to jump in here?

daurnimator avatar Dec 15 '16 15:12 daurnimator

I can't see in the OpenSSL API how to get the DH params (I'd preferably want them as an EVP_PKEY*) out of an SSL*; anyone able to jump in here?

SSL_get_server_tmp_key is the function I was looking for. Introduced in 1.0.2.

Thanks to http://openssl.6102.n7.nabble.com/How-to-enforce-DH-field-size-in-the-client-td60442.html

I'll note that openssl seems to have some built in checks for DH keys available. grep for SSL_R_DH_KEY_TOO_SMALL.

daurnimator avatar Oct 29 '17 04:10 daurnimator

luaossl now has ssl:getServerTemporaryKey()

daurnimator avatar May 30 '18 08:05 daurnimator

I think this also needs https://github.com/wahern/luaossl/issues/135

daurnimator avatar Jun 16 '18 20:06 daurnimator