Opened 3 years ago

Closed 3 years ago

#4078 closed defect (fixed)

Apply Nginx work-around for CVE-2015-4000

Reported by: matze Assignee: matze
Priority: P1 Milestone:
Module: Infrastructure Keywords:
Cc: fhd, palant Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Unknown Verified working: no
Review URL(s):


The Nginx server is potentially vulnerable to CVE-2015-4000: The default parameters being used with the DHE_{DSS,RSA}_EXPORT cipher-suites (see RFC 2246 - TLS, section 7.4), which are actually the default OpenSSL resources, rely on a 1024 bit cipher during key-exchange. This means a connection being established with a stronger cipher is downgraded to weaker encryption during the handshake, which renders the additional entropy pointless in a plethora of MITM scenarios.

What to do

Extend Puppet module nginx to a) create a custom key parameter file of at least 4096 bits at provisioning time and b) configure Nginx to use this one instead of the default.

Change History (5)

comment:1 Changed 3 years ago by matze

Generating a custom parameter file with the necessary entropy requires quite some time:

$ time openssl dhparam -out files/dhe_rsa_export.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time

real    1m30.390s
user    1m30.404s
sys     0m0.024s

The above example is the minimum I was able to produce. Virtual boxes with a single core (typical development instance) it take almost 10 minutes. Regular hosts under load report success after 4-7 minutes.

Hence this is hardly applicable when a box is provisioned, especially not in development and test. In production it would not have that much of an impact yet, primarily due to the fact that acquiring new resources is a somehow time-consuming, manual process anyway. Still, it seems to be more applicable maintaining such a file in the private{-stub,} modules, respectively.

Last edited 3 years ago by matze (previous) (diff)

comment:2 Changed 3 years ago by matze

  • Sensitive unset

comment:3 Changed 3 years ago by matze

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:4 Changed 3 years ago by abpbot

A commit referencing this issue has landed:
Issue 4078 - Apply Nginx work-around for CVE-2015-4000

comment:5 Changed 3 years ago by matze

  • Resolution set to fixed
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.