Refuse weak DH groups #62

KellerFuchs · 2016-12-15T15:31:06Z

There are at least two kinds of weak DH groups that lua-http silently accepts:

I'm not sure whether OpenSSL can check for those at all.

The text was updated successfully, but these errors were encountered:

daurnimator · 2016-12-15T15:43:55Z

I'm not sure how to check these... chromium/badssl.com#40 indicates that I should check the DH parameters.

I can't see in the OpenSSL API how to get the DH params (I'd preferably want them as an EVP_PKEY*) out of an SSL*; anyone able to jump in here?

daurnimator · 2017-10-29T04:22:39Z

I can't see in the OpenSSL API how to get the DH params (I'd preferably want them as an EVP_PKEY*) out of an SSL*; anyone able to jump in here?

SSL_get_server_tmp_key is the function I was looking for. Introduced in 1.0.2.

I'll note that openssl seems to have some built in checks for DH keys available. grep for SSL_R_DH_KEY_TOO_SMALL.

daurnimator · 2018-05-30T08:26:33Z

luaossl now has ssl:getServerTemporaryKey()

daurnimator · 2018-06-16T20:43:06Z

I think this also needs wahern/luaossl#135

daurnimator added enhancement security labels Dec 15, 2016

daurnimator added the good-first-issue label Jan 23, 2017

daurnimator mentioned this issue Oct 29, 2017

Bind SSL_get_server_tmp_key wahern/luaossl#114

Closed

daurnimator removed the good-first-issue label Oct 29, 2017

Provide feedback