tls: make server not use DHE in less than 1024bits

Shigeki Ohtsu · Shigeki Ohtsu · commit c65484a74d63 · 2015-06-12T11:05:19.000+09:00
DHE key lengths less than 1024bits is already weaken as pointed out in https://weakdh.org/ . 1024bits will not be safe in near future. We will extend this up to 2048bits somedays later. PR-URL: #1739 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor@indutny.com>
diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
@@ -160,8 +160,10 @@ automatically set as a listener for the [secureConnection][] event.  The
 
   - `dhparam`: A string or `Buffer` containing Diffie Hellman parameters,
     required for Perfect Forward Secrecy. Use `openssl dhparam` to create it.
-    If omitted or invalid, it is silently discarded and DHE ciphers won't be
-    available.
+    Its key length should be greater than or equal to 1024 bits, otherwise
+    it throws an error. It is strongly recommended to use 2048 bits or
+    more for stronger security. If omitted or invalid, it is silently
+    discarded and DHE ciphers won't be available.
 
   - `handshakeTimeout`: Abort the connection if the SSL/TLS handshake does not
     finish in this many milliseconds. The default is 120 seconds.
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -754,6 +754,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
   if (dh == nullptr)
     return;
 
+  const int keylen = BN_num_bits(dh->p);
+  if (keylen < 1024)
+    return env->ThrowError("DH parameter is less than 1024 bits");
+  else if (keylen < 2048)
+    fprintf(stderr, "WARNING: DH parameter is less than 2048 bits\n");
+
   SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_DH_USE);
   int r = SSL_CTX_set_tmp_dh(sc->ctx_, dh);
   DH_free(dh);
diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js
@@ -61,8 +61,9 @@ function test(keylen, expectedCipher, cb) {
 }
 
 function test512() {
-  test(512, 'DHE-RSA-AES128-SHA256', test1024);
-  ntests++;
+  assert.throws(function() {
+    test(512, 'DHE-RSA-AES128-SHA256', null);
+  }, /DH parameter is less than 1024 bits/);
 }
 
 function test1024() {
@@ -76,12 +77,13 @@ function test2048() {
 }
 
 function testError() {
-  test('error', 'ECDHE-RSA-AES128-SHA256', null);
+  test('error', 'ECDHE-RSA-AES128-SHA256', test512);
   ntests++;
 }
 
-test512();
+test1024();
 
 process.on('exit', function() {
   assert.equal(ntests, nsuccess);
+  assert.equal(ntests, 3);
 });

Original file line number	Diff line number	Diff line change
`@@ -61,8 +61,9 @@ function test(keylen, expectedCipher, cb) {`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`function test512() {`
`64`		`- test(512, 'DHE-RSA-AES128-SHA256', test1024);`
`65`		`- ntests++;`
	`64`	`+ assert.throws(function() {`
	`65`	`+ test(512, 'DHE-RSA-AES128-SHA256', null);`
	`66`	`+ }, /DH parameter is less than 1024 bits/);`
`66`	`67`	`}`
`67`	`68`
`68`	`69`	`function test1024() {`
`@@ -76,12 +77,13 @@ function test2048() {`
`76`	`77`	`}`
`77`	`78`
`78`	`79`	`function testError() {`
`79`		`- test('error', 'ECDHE-RSA-AES128-SHA256', null);`
	`80`	`+ test('error', 'ECDHE-RSA-AES128-SHA256', test512);`
`80`	`81`	`ntests++;`
`81`	`82`	`}`
`82`	`83`
`83`		`-test512();`
	`84`	`+test1024();`
`84`	`85`
`85`	`86`	`process.on('exit', function() {`
`86`	`87`	`assert.equal(ntests, nsuccess);`
	`88`	`+ assert.equal(ntests, 3);`
`87`	`89`	`});`