-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a new option to limit DH key size in tls connect #1831
Conversation
Are you sure that we are actually vulnerable to the logjam attack? I always thought that we are not doing False Start, so it should not be possible to perform MiTM attack in this case. |
False Start is the worst case to decrypt DATA in offline.
According the paper, 512 bit DH key can be solved about 90 secs for the server with built-in prime such as apache. The current TLS timeout of iojs is 120 secs which is longer than that. |
@shigeki but this is not logjam anymore, right? I just don't want to say that we was vulnerable to it in the first place, especially if we wasn't. |
If the wording of logjam only covers export DH cipher, that is right. I did not care about that. I've just changed this PR title to remove the word of logjam. There is no word of logjam in the commit message. |
@@ -347,6 +347,11 @@ Creates a new client connection to the given `port` and `host` (old API) or | |||
|
|||
- `session`: A `Buffer` instance, containing TLS session. | |||
|
|||
- `minDHkeylen`: Minimum key length of an ephemeral DH parameter to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A camel case (minDHKeyLen
)? Or even minDHSize
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I take minDHSize
as it is shorter and more legible.
A couple of nits, otherwise looking great! Good job, @shigeki ! |
484262e
to
dd8a2a2
Compare
@bnoordhuis @indutny Thanks for reviewing. According to your comments, I updated them. PTAL. |
connection. It returns an empty object when the key exchange is not | ||
ephemeral. As it is only supported on a client socket, it returns null | ||
if this is called on a server socket. The type of 'DH' and 'ECDH' are | ||
supported. The name property is only available in 'ECDH'. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Femto-nit: maybe reword this to:
The supported types are 'DH' and 'ECDH'. The `name` property is only available with 'ECDH'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
LGTM apart from a couple of nits. Can you rebase and run the CI before landing this? Thanks. |
8b16dfd
to
e4f02bd
Compare
@shigeki @bnoordhuis @indutny ... ping |
Sorry for my late response. This is a security enhancement of DH as the same way of Chrome/Firefox. It is not so much threat at the usual use but https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/ says that
so that I think it is worth to have this in order to protect against the nation level attack. |
This should be semver-major. It will definitely break code that was connecting to 1024-bit DH servers. Otherwise LGTM |
@indutny Thanks. I agree it. I've changed label. I rebase this, make tests again and land it after 5.0 start. |
Note: |
@Fishrock123 Thanks. The current master is already 5.0.0-pre so can I land this now? |
CI show the following 7 test failures but they are not related to this PR. Otherwise are green.
|
@shigeki v5.0 is set to cut probably next week, and semver-major's have been landing on (This also assumes this has had enough TSC review, which I think it has.) |
Returns an object representing a type, name and size of an ephemeral key exchange in a client connection. Currently only DHE and ECHE are supported. This api only works on on a client connection. When it is called on a server connection, null is returned. When its key exchange is not ephemeral, an empty object is returned. PR-URL: #1831 Reviewed-By: indutny - Fedor Indutny <[email protected]> Reviewed-By: bnoordhuis - Ben Noordhuis <[email protected]>
Add a new option to specifiy a minimum size of an ephemeral DH parameter to accept a tls connection. Default is 1024 bit. PR-URL: #1831 Reviewed-By: indutny - Fedor Indutny <[email protected]> Reviewed-By: bnoordhuis - Ben Noordhuis <[email protected]>
To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in #1739. PR-URL: #1831 Reviewed-By: indutny - Fedor Indutny <[email protected]> Reviewed-By: bnoordhuis - Ben Noordhuis <[email protected]>
@Fishrock123 Thanks. |
Notable changes: * buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer, these have been deprecated for a long time (Sakthipriyan Vairamani) nodejs#2859. * console: (Breaking) Values reported by console.time() now have 3 decimals of accuracy added (Michaël Zasso) nodejs#3166. * fs: - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file descriptor as their first argument (Johannes Wüller) nodejs#3163. - (Breaking) In fs.readFile(), if an encoding is specified and the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) nodejs#3485. - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding, callback) form), if the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) nodejs#3503. * http: - Fixed a bug where pipelined http requests would stall (Fedor Indutny) nodejs#3342. - (Breaking) When parsing HTTP, don't add duplicates of the following headers: Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition to the following headers which already block duplicates: Content-Type, Content-Length, User-Agent, Referer, Host, Authorization, Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location, Max-Forwards (James M Snell) nodejs#3090. - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a function or a TypeError is thrown (James M Snell) nodejs#3090. - (Breaking) HTTP methods and header names must now conform to the RFC 2616 "token" rule, a list of allowed characters that excludes control characters and a number of separator characters. Specifically, methods and header names must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown (James M Snell) nodejs#2526. * node: - (Breaking) Deprecated the _linklist module (Rich Trott) nodejs#3078. - (Breaking) Removed require.paths and require.registerExtension(), both had been previously set to throw Error when accessed (Sakthipriyan Vairamani) nodejs#2922. * npm: Upgraded to version 3.3.6 from 2.14.7, see https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a major version bump for npm and it has seen a significant amount of change. Please see the original npm v3.0.0 release notes for a list of major changes (Rebecca Turner) nodejs#3310. * src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary due to the V8 upgrade. Native add-ons will need to be recompiled (Rod Vagg) nodejs#3400. * timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes a long-standing known issue where unrefed timers would perviously hold beforeExit open (Fedor Indutny) nodejs#3407. * tls: - Added ALPN Support (Shigeki Ohtsu) nodejs#2564. - TLS options can now be passed in an object to createSecurePair() (Коренберг Марк) nodejs#2441. - (Breaking) The default minimum DH key size for tls.connect() is now 1024 bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS option can be used to override the default. (Shigeki Ohtsu) nodejs#1831. * util: - (Breaking) util.p() was deprecated for years, and has now been removed (Wyatt Preul) nodejs#3432. - (Breaking) util.inherits() can now work with ES6 classes. This is considered a breaking change because of potential subtle side-effects caused by a change from directly reassigning the prototype of the constructor using `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })` to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)` (Michaël Zasso) nodejs#3455. * v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) nodejs#3351. - Implements the spread operator, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator for further information. - Implements new.target, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target for further information. * zlib: Decompression now throws on truncated input (e.g. unexpected end of file) (Yuval Brik) nodejs#2595. PR-URL: nodejs#3466
Notable changes: * buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer, these have been deprecated for a long time (Sakthipriyan Vairamani) #2859. * console: (Breaking) Values reported by console.time() now have 3 decimals of accuracy added (Michaël Zasso) #3166. * fs: - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file descriptor as their first argument (Johannes Wüller) #3163. - (Breaking) In fs.readFile(), if an encoding is specified and the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) #3485. - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding, callback) form), if the internal toString() fails the error is no longer thrown but is passed to the callback (Evan Lucas) #3503. * http: - Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342. - (Breaking) When parsing HTTP, don't add duplicates of the following headers: Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition to the following headers which already block duplicates: Content-Type, Content-Length, User-Agent, Referer, Host, Authorization, Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location, Max-Forwards (James M Snell) #3090. - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a function or a TypeError is thrown (James M Snell) #3090. - (Breaking) HTTP methods and header names must now conform to the RFC 2616 "token" rule, a list of allowed characters that excludes control characters and a number of separator characters. Specifically, methods and header names must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown (James M Snell) #2526. * node: - (Breaking) Deprecated the _linklist module (Rich Trott) #3078. - (Breaking) Removed require.paths and require.registerExtension(), both had been previously set to throw Error when accessed (Sakthipriyan Vairamani) #2922. * npm: Upgraded to version 3.3.6 from 2.14.7, see https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a major version bump for npm and it has seen a significant amount of change. Please see the original npm v3.0.0 release notes for a list of major changes (Rebecca Turner) #3310. * src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary due to the V8 upgrade. Native add-ons will need to be recompiled (Rod Vagg) #3400. * timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes a long-standing known issue where unrefed timers would perviously hold beforeExit open (Fedor Indutny) #3407. * tls: - Added ALPN Support (Shigeki Ohtsu) #2564. - TLS options can now be passed in an object to createSecurePair() (Коренберг Марк) #2441. - (Breaking) The default minimum DH key size for tls.connect() is now 1024 bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS option can be used to override the default. (Shigeki Ohtsu) #1831. * util: - (Breaking) util.p() was deprecated for years, and has now been removed (Wyatt Preul) #3432. - (Breaking) util.inherits() can now work with ES6 classes. This is considered a breaking change because of potential subtle side-effects caused by a change from directly reassigning the prototype of the constructor using `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })` to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)` (Michaël Zasso) #3455. * v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351. - Implements the spread operator, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator for further information. - Implements new.target, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target for further information. * zlib: Decompression now throws on truncated input (e.g. unexpected end of file) (Yuval Brik) #2595. PR-URL: #3466
Tagging also as minor since one commit is just additive. |
Just want to verify that f72e178 will not be landing in lts |
@thealphanerd ... this one is a special case, a variation on this will land in v4.x, v0.12 and v0.10 as part of a security fix that landed in master but not in the branches. |
@jasnell has the security fix landed yet? I could not find any of these commits in v4.x-staging |
This is the fix of logjam attack for a TLS client. It disable connecting to the TLS server with less than DH key size specified by a new option of
minDHkeylen
. The default is 1024 bits.And it also introduces a new public API of
TLSSocket.getEphemeralKeyInfo()
to show the information of an ephemeral key type, name and length of TLS connection. I think it it good for users to know them. We should prepare future vulnerabilities not only DH but also ECDH.Unfortunately openssl provided
SSL_get_server_tmp_key()
on only client so that this API returns an empty object on the server.The last one is my home work from @bnoordhuis to output warning of setDHParams to console.trace().
Here is a list of logjam fix in openssl, Firefox and Chrome. I think iojs is also better to set minimum key length like this.
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
https://bugzilla.mozilla.org/show_bug.cgi?id=1138554
https://boringssl-review.googlesource.com/4813
R= @bnoordhuis @indutny