Re: PostgreSQL - Weak DH group

On 07/13/2017 11:07 PM, Heikki Linnakangas wrote:
> On 07/13/2017 10:13 PM, Robert Haas wrote:
>> On Thu, Jul 13, 2017 at 1:30 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Heikki Linnakangas <hlinnaka(at)iki(dot)fi> writes:
>>>> I don't think this can be backpatched. It changes the default DH
>>>> parameters from 1024 bits to 2048 bits. That's a good thing for
>>>> security, but older clients might not support it, and would refuse to
>>>> connect or would fall back to something less secure.
>>>
>>> Do we have any hard information about which versions of which clients
>>> might not support that? (In particular I'm wondering if any still exist
>>> in the wild.)
>>
>> Yeah. If we break clients for v10 two months from release, some
>> drivers won't be updated by release time, and that sounds pretty
>> unfriendly to me. On the other hand, if there is only a theoretical
>> risk of breakage and no clients that we actually know about will have
>> a problem with it, then the argument for waiting is weaker. I'm not
>> generally very excited about changing things after beta2, which is
>> where are, but if this is a security issue then we might need to hold
>> our nose and go ahead. I'm against it if it's likely to cause
>> real-world connectivity problems, though.
>
> Googling around, I believe Java 6 is the only straggler [1]. So we would
> be breaking that. Java 7 also doesn't support DH parameters > 1024 bits,
> but it supports ECDHE, which is prioritized over DH ciphers, so it
> doesn't matter.
>
> Java 6 was released back in 2006. The last public release was in 2013.
> It wouldn't surprise me to still see it bundled with random proprietary
> software packages, though. The official PostgreSQL JDBC driver still
> supports it, but there has been discussion recently on dropping support
> for it, and even for Java 7. [2]
>
> I would be OK with breaking DH with Java 6 in PostgreSQL 10, especially
> since there's a simple workaround (generate a 1024-bit DH parameters
> file). I would be less enthusiastic about doing that in a minor release,
> although maybe that wouldn't be too bad either, if we put a prominent
> notice with the workaround in the release notes.

Some more information on the situation with JDK version 6: I installed
Debian wheezy on a VM, with a OpenJDK 6, and tested connecting to a
patched server with the JDBC driver. It worked! Googling around, it
seems that this was fixed in later versions of OpenJDK 6
(https://bugs.openjdk.java.net/browse/JDK-8062834). I then downloaded
the latest Oracle JRE binary version, 6u45, available from
http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html.
With that, it does not work, you get errors like:

org.postgresql.util.PSQLException: SSL error:
java.lang.RuntimeException: Could not generate DH keypair
...
Caused by: java.security.InvalidAlgorithmParameterException: Prime size
must be multiple of 64, and can only range from 512 to 1024 (inclusive)

So, the last binary version downloadable from Oracle is affected, but
recent versions of OpenJDK 6 work.

Rebased patch attached, with proposed release notes included. Barring
new objections or arguments, I'll commit this (only) to v10 later today.

- Heikki