On Friday, 14 July 2023 18:03:25 CEST, Peter Gutmann wrote:
Hubert Kario <hka...@redhat.com> writes:
FIPS requires to support only well known groups (all of them 2048 bit or
larger), and we've received hardly any customer issues after implementing
that as hard check (connection will fail if the key exchange
uses custom DH
parameters) good few years ago now.
Interesting, so you're saying that essentially no-one uses
custom groups? My
code currently fast-tracks the known groups (RFC 3526 and RFC 7919) but also
allows custom groups (with additional checking) to be on the
safe side because
you never know what weirdness is out there, do you have an idea of what sort
of magnitude "hardly any" represents?
I wouldn't go as far as "nobody uses them", it's more like "people that use
them, either have them configured unknowingly or can change configuration
to use well known groups". So while it may cause interoperability issues,
for people that really do care about interoperability with old systems,
they are fine with tweaking DH configuration to make it happen (or simply
end up using ECDHE and are completely unaware of the whole issue).
One more side note: in FIPS mode we also disable RSA ciphersuites, so the
FFDHE and ECDHE, both with only well known groups, are the only two key
exchanges that do work.
And can something similar be said about SSH implementations?
There's fixed DH
groups and then the Swiss-army-knife diffie-hellman-group-exchange-*, but
AFAIK the only groups that ever get exchanged there are the RFC 3526/7919
ones.
nope, for OpenSSH those will be the safe-primes from /etc/ssh/moduli,
though
in FIPS mode we do ignore that file and indeed use RFC 3526 or 7919 groups
of at least 2048 bits (don't remember what we default to, but we will
accept
either)
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
