Re: PostgreSQL - Weak DH group

On 10/05/2016 05:15 PM, Nicolas Guini wrote:
> We are working with Postgres 9.3.14 and executing nmap we
> found that it is using “weak DH group” (nmap –script ssl-dh-params). Weak =
> 1024 bits.

Yeah, it seems that we're a bit behind the times on this...

> This issue is similar to what this post explains about using weak DH
> parameters: http://www.usefuljs.net/2016/09/29/imperfect-forward-secrecy/

The blog post points out that, as counterintuitive as it sounds, the
SSL_CTX_set_tmp_dh_callback() callback should ignore the keylength
argument, and always return a DH group with 2048 bits, or stronger. As
you pointed out, that's not what our callback does.

We should fix this in master, at least. I'm not sure about backporting,
there might be compatibility issues. It seems that at least OpenJDK
(Java) didn't support DH groups larger than 1024 bits, until version 8.
That's fairly recent, OpenJDK 8 was released in March 2014.

ECDHE family of ciphers are not affected, and are preferred over plain
DHE, I believe, so disabling DHE and removing the DH parameter loading
code altogether is one option. Clearly not backportable, though.

Meanwhile, users can work-around this by creating DH parameters with
something like "openssl dhparam -out $PGDATA/dh1024.pem 2048". Yes, the
file needs to be called "dh1024.pem", even though the actual key length
is 2048 bits.

- Heikki