[Kimchi-devel] [PATCH] Prevent Kimchi against TLS Logjam attacks

Rodrigo Trujillo rodrigo.trujillo at linux.vnet.ibm.com
Thu Jun 18 19:25:14 UTC 2015 


On 06/18/2015 03:33 PM, Aline Manera wrote:
>
>
> On 18/06/2015 15:26, Rodrigo Trujillo wrote:
>> There are several weaknesses in how Diffie-Hellman key exchange has been
>> deployed, allowing a man-in-the-middle attack named Logjam, more details
>> here: https://weakdh.org.
>> This patch improves the security in Nginx server, generating 2048bit
>> DH-Parameters or longer when using 2048bit RSA keys.
>>
>> Some parameters before patch:
>> echo | openssl s_client -connect localhost:8001 -cipher "DH"
>>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>>     New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>     Server public key is 2048 bit
>>     Server Temp Key: DH, 1024 bits
>>
>> Some parameters after patch:
>> echo | openssl s_client -connect localhost:8001 -cipher "DH"
>>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>>     New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>     Server public key is 2048 bit
>>     Server Temp Key: DH, 2048 bits  (*)
>>
>> This patch also changes the Ciphers allowed by Nginx, change build
>> scripts and the RPM spec file to deliver new file: dhparams.pem.
>>
>> Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo at linux.vnet.ibm.com>
>> ---
>>   Makefile.am                   | 1 +
>>   contrib/kimchi.spec.fedora.in | 3 ++-
>>   src/Makefile.am               | 8 +++++++-
>>   src/kimchi/proxy.py           | 6 +++++-
>>   src/nginx/Makefile.am         | 2 ++
>>   src/nginx/kimchi.conf.in      | 4 +++-
>>   6 files changed, 20 insertions(+), 4 deletions(-)
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index 46b0b5b..5f2b401 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -133,6 +133,7 @@ install-data-local:
>>       touch $(DESTDIR)/var/log/kimchi/kimchi-access.log
>>       touch $(DESTDIR)/var/log/kimchi/kimchi-error.log
>>       mkdir -p $(DESTDIR)/etc/kimchi/
>> +    $(INSTALL_DATA) src/nginx/dhparams.pem 
>> $(DESTDIR)/etc/kimchi/dhparams.pem
>>       touch $(DESTDIR)/etc/nginx/conf.d/kimchi.conf
>>
>>   uninstall-local:
>> diff --git a/contrib/kimchi.spec.fedora.in 
>> b/contrib/kimchi.spec.fedora.in
>> index dc5533a..de40fd1 100644
>> --- a/contrib/kimchi.spec.fedora.in
>> +++ b/contrib/kimchi.spec.fedora.in
>> @@ -34,6 +34,7 @@ Requires:    python-ldap
>>   Requires:    python-libguestfs
>>   Requires:    libguestfs-tools
>>   BuildRequires:    libxslt
>> +BuildRequires:    openssl
>>   BuildRequires:    python-lxml
>>
>>   %if 0%{?rhel} >= 6 || 0%{?fedora} >= 19
>> @@ -153,7 +154,7 @@ rm -rf $RPM_BUILD_ROOT
>>   %{_sysconfdir}/kimchi/distros.d/opensuse.json
>>   %{_sysconfdir}/kimchi/distros.d/ubuntu.json
>>   %{_sysconfdir}/kimchi/distros.d/gentoo.json
>> -%{_sysconfdir}/kimchi/
>> +%{_sysconfdir}/kimchi/*
>
> Isn't this change needed to kimchi.spec.suse.in too?

I reviewed and this change is not necessary in any of them. I will 
remove this.
>
>>   %{_sharedstatedir}/kimchi/debugreports/
>>   %{_sharedstatedir}/kimchi/screenshots/
>>   %{_sharedstatedir}/kimchi/vnc-tokens/
>> diff --git a/src/Makefile.am b/src/Makefile.am
>> index 38d231c..e0e0821 100644
>> --- a/src/Makefile.am
>> +++ b/src/Makefile.am
>> @@ -45,4 +45,10 @@ kimchid: kimchid.in Makefile
>>   kimchi.conf: kimchi.conf.in Makefile
>>       $(do_substitution) < kimchi.conf.in > kimchi.conf
>>
>> -CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES)
>> +# Generate unique Diffie-Hellman group with 2048-bit
>> +all-local: dhparams.pem
>> +
>> +dhparams.pem:
>> +    openssl dhparam -out dhparams.pem 2048
>> +
>> +CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem
>> diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
>> index e3e35b4..5dcca65 100644
>> --- a/src/kimchi/proxy.py
>> +++ b/src/kimchi/proxy.py
>> @@ -68,6 +68,9 @@ def _create_proxy_config(options):
>>               with open(key, "w") as f:
>>                   f.write(ssl_gen.key_pem())
>>
>> +    # Setting up Diffie-Hellman group with 2048-bit file
>> +    dhparams_pem = os.path.join(config_dir, "dhparams.pem")
>> +
>>       # Read template file and create a new config file
>>       # with the specified parameters.
>>       with open(os.path.join(nginx_config_dir, "kimchi.conf.in")) as 
>> template:
>> @@ -78,7 +81,8 @@ def _create_proxy_config(options):
>> kimchid_port=options.cherrypy_port,
>> proxy_ssl_port=options.ssl_port,
>>                                   cert_pem=cert, cert_key=key,
>> - max_body_size=eval(options.max_body_size))
>> + max_body_size=eval(options.max_body_size),
>> +                                dhparams_pem=dhparams_pem)
>>
>>       # Write file to be used for nginx.
>>       config_file = open(os.path.join(nginx_config_dir, 
>> "kimchi.conf"), "w")
>> diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
>> index 0241b37..c754947 100644
>> --- a/src/nginx/Makefile.am
>> +++ b/src/nginx/Makefile.am
>> @@ -21,3 +21,5 @@ EXTRA_DIST = kimchi.conf.in
>>
>>   confdir = $(sysconfdir)/nginx/conf.d
>>   dist_conf_DATA = kimchi.conf.in
>> +
>> +CLEANFILES = kimchi.conf
>> diff --git a/src/nginx/kimchi.conf.in b/src/nginx/kimchi.conf.in
>> index 3ecbde4..b0faea3 100644
>> --- a/src/nginx/kimchi.conf.in
>> +++ b/src/nginx/kimchi.conf.in
>> @@ -53,7 +53,9 @@ http {
>>           ssl_certificate ${cert_pem};
>>           ssl_certificate_key ${cert_key};
>>           ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>> -        ssl_ciphers 
>> ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL;
>> +        ssl_ciphers 
>> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
>> +        ssl_prefer_server_ciphers on;
>> +        ssl_dhparam ${dhparams_pem};
>>
>>           add_header Strict-Transport-Security "max-age=31536000; 
>> includeSubdomains;";
>>           add_header X-Frame-Options DENY;
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>

More information about the Kimchi-devel mailing list