The state of Forward Secrecy in OpenSSL
It could be possible that your SSL services are not providing
forward secrecy and you haven’t noticed yet!
Many SSL ciphers provide forward secrecy by using ephedermal Diffie-Hellman (EDH) keys. This means that for every SSL session a temporary encryption key is negotiated and the normal key is only used for verifying authenticity. As the OpenSSL documentation states:
“By generating a temporary DH key inside the server application that is lost when the application is left, it becomes impossible for an attacker to decrypt past sessions, even if he gets hold of the normal (certified) key, as this key was only used for signing.”
Although ciphers using EDH will most probably be available in your setup, often they are disabled because the application fails to provide DH params to OpenSSL. Since it is costly to generate those parameters – which are needed to negotiate a DH key exchange – OpenSSL suggests to create them when an application is installed.
Many application will not do this, but rather let the user generate and include the parameters in the configuration manually. Since (i) most administrators are not aware of this problem, (ii) those applications do not yield any warnings if the parameters are missing and (iii) OpenSSL silently disables ciphers with unsatisfied requirements, forward secrecy is not available in many SSL connections.
Update: Also see Bernats blog for a nice roundup on the cryptographic background of perfect forward secrecy and the new, faster elliptic curve implementations.
Verify your Setup
Try to open an SSL session to your service (https, imap, smtp, jabber, irc, …) with
openssl s_client -port <port> -host <yourdomain.tld>
this will show you the details of the SSL session and you can verify that the used cipher includes EDH:
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
or not:
New, TLSv1/SSLv3, Cipher is AES256-SHA
Fix your Setup
Applications which we found to work with EDH ciphers are Apache and Dovecot.
Update: Applications which we found to not support EDH out of the box are: squid, exim, courier
In most applications you can configure a dhparams variable somewhere. The dhparams can be generated with the following command:
openssl dhparam -out dhparams.pem 2048
We already fixed the problem in the following services:
Squid (reverse proxy)
In /etc/squid/include.d/https_port add dhparams=/path/dhparams.pem to every line
Exim
In /etc/exim.conf add the line tls_dhparam = /path/dhparams.pem
Fix the general Problem
This problem has two main reasons:
- Applications do not check whether the requirements of the user selected ciphers are satisfied. The requirements are listed in the OpenSSL doku. Or they could just always generate dhparams when they are installed, since EDH ciphers should be preferred anyway.
- The OpenSSL API does not provide any means to verify the state of the configuration. There is no function to check if cipher requirements are met and the SSL_CTX setup is consistent. As long as at least a single cipher (even the least secure) in the acceptable ciphers list can be initialized OpenSSL will not complain to the application.
If you find any application which exhibits this problem, please file a bug report and convince the maintainers to at least generate a warning to the user and state the consequences in the documentation.
If you are a developer of an application which uses OpenSSL please consider shipping install scripts that generate dhparams or generate them on the fly if they are missing. Please do not just let OpenSSL silently disable a key feature of SSL.
Sadly, DHE (aka EDH) alone is not enough, since the NSA deliberately compromised its algorithm.
This is not the case for ECDHE (*elliptic curve* ephemeral DH) though, so it’s highly recommended to use that instead.
Unfortunately, while I have gotten Apache 2.4 do full ECDHE-RSA-AES256-GCM-SHA384, Courier(-IMAP) still can’t do elliptic curve cryptography…
Or I’m missing something…