-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
insufficient security 71 #1933
Comments
It would be an expensive operation to validate a custom group, so by default we accept only a few well-known DH groups (from RFC 3526 and RFC 7919). Because of attacks like "logjam" we also (by default) require at minimum a 2048 bit prime. This default behaviour is captured in If using BCJSSE, the integer system property "org.bouncycastle.jsse.client.dh.minimumPrimeBits" can be set to control the minimum prime bits and the boolean system property "org.bouncycastle.jsse.client.dh.unrestrictedGroups" can be set to "true" to allow unrestricted groups. Unfortunately no finer grain control is available. We don't recommend loosening these restrictions; in general if you have any control over the server it would be preferable to change it to use non-DH cipher suites, or at least to use a well-known DH group from RFC 7919. It's probably a bad idea to accept custom groups from arbitrary internet servers. |
That DH group came from a Windows machine. Today, the same p value was observed for a Ubuntu machine. Hence, this should not be a custom DH group. Here is the p values from the DH group. 0000 0e f8 69 0b 35 2f 62 59 f7 af 4e 19 b5 9b d2 eb To my best effort, I did not find this in the standard DH groups so I was under the assumption that this is a custom group. Does this p value belong to any standard DH group? I know it did not match the ones supported by bouncy castle. |
Windows/Ubuntu doesn't have much to do with TLS DH group selection. Most likely the group in use is the default group for some particular server software (you didn't mention anything about what you are connecting to). |
We are connecting using RDP protocol to Windows and Ubuntu. The connection is to xrdp running on Ubuntu and RDP server on Windows. The RDP connection is done over TLS and the DH group came from the cipher selected in the server hello packet during the TLS handshake. The cipher would come from the Windows server and openssl for xrdp. Hence, how could the TLS DH group selection on two OS be using the same custom DH group? |
OK, xrdp, so now we can see where this group is defined: https://github.com/neutrinolabs/xrdp/blob/441f427694bf04bd7a7d900eafe75d9c44d375b0/common/ssl_calls.c#L890 . The OS isn't usually relevant to the choice of DH group for a TLS server. It's either negotiated with the client from a list of named groups, or else the server is free to choose an explicit group (pre-TLS 1.3 only). There's no reason two servers can't use the same group. Perhaps the Windows server is also running xrdp, or perhaps one of the implementations copied the DH group from the other, to minimize interoperability problems. |
We understand the choice of DH groups and the decision to accept standard DH groups in bouncy castle. At our end, we are dealing with systems where their security cipher implementation varies and spans over the years. While we wish we could deal with standard DH groups, there are many reasons from different angles that imposes constraints and restriction at the integration points. |
When the p and q values of a Diffie-Hellman server key exchange is not found in the groups supported by bouncy castle, an insufficent security 71 is encountered. It seems like custom group is not supported. Is this true?
The text was updated successfully, but these errors were encountered: