Re: [Kimchi-devel] [PATCH] Prevent Kimchi against TLS Logjam attacks

On 18/06/2015 15:26, Rodrigo Trujillo wrote: > There are several weaknesses in how Diffie-Hellman key exchange has been > deployed, allowing a man-in-the-middle attack named Logjam, more details > here: https://weakdh.org. > This patch improves the security in Nginx server, generating 2048bit > DH-Parameters or longer when using 2048bit RSA keys. > > Some parameters before patch: > echo | openssl s_client -connect localhost:8001 -cipher "DH" > Cipher : DHE-RSA-AES256-GCM-SHA384 > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Server Temp Key: DH, 1024 bits > > Some parameters after patch: > echo | openssl s_client -connect localhost:8001 -cipher "DH" > Cipher : DHE-RSA-AES256-GCM-SHA384 > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Server Temp Key: DH, 2048 bits (*) > > This patch also changes the Ciphers allowed by Nginx, change build > scripts and the RPM spec file to deliver new file: dhparams.pem. > > Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo(a)linux.vnet.ibm.com&gt; > --- > Makefile.am | 1 + > contrib/kimchi.spec.fedora.in | 3 ++- > src/Makefile.am | 8 +++++++- > src/kimchi/proxy.py | 6 +++++- > src/nginx/Makefile.am | 2 ++ > src/nginx/kimchi.conf.in | 4 +++- > 6 files changed, 20 insertions(+), 4 deletions(-) > > diff --git a/Makefile.am b/Makefile.am > index 46b0b5b..5f2b401 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -133,6 +133,7 @@ install-data-local: > touch $(DESTDIR)/var/log/kimchi/kimchi-access.log > touch $(DESTDIR)/var/log/kimchi/kimchi-error.log > mkdir -p $(DESTDIR)/etc/kimchi/ > + $(INSTALL_DATA) src/nginx/dhparams.pem > $(DESTDIR)/etc/kimchi/dhparams.pem > touch $(DESTDIR)/etc/nginx/conf.d/kimchi.conf > > uninstall-local: > diff --git a/contrib/kimchi.spec.fedora.in > b/contrib/kimchi.spec.fedora.in > index dc5533a..de40fd1 100644 > --- a/contrib/kimchi.spec.fedora.in > +++ b/contrib/kimchi.spec.fedora.in > @@ -34,6 +34,7 @@ Requires: python-ldap > Requires: python-libguestfs > Requires: libguestfs-tools > BuildRequires: libxslt > +BuildRequires: openssl > BuildRequires: python-lxml > > %if 0%{?rhel} >= 6 || 0%{?fedora} >= 19 > @@ -153,7 +154,7 @@ rm -rf $RPM_BUILD_ROOT > %{_sysconfdir}/kimchi/distros.d/opensuse.json > %{_sysconfdir}/kimchi/distros.d/ubuntu.json > %{_sysconfdir}/kimchi/distros.d/gentoo.json > -%{_sysconfdir}/kimchi/ > +%{_sysconfdir}/kimchi/* Isn't this change needed to kimchi.spec.suse.in too?

> %{_sharedstatedir}/kimchi/debugreports/ > %{_sharedstatedir}/kimchi/screenshots/ > %{_sharedstatedir}/kimchi/vnc-tokens/ > diff --git a/src/Makefile.am b/src/Makefile.am > index 38d231c..e0e0821 100644 > --- a/src/Makefile.am > +++ b/src/Makefile.am > @@ -45,4 +45,10 @@ kimchid: kimchid.in Makefile > kimchi.conf: kimchi.conf.in Makefile > $(do_substitution) < kimchi.conf.in > kimchi.conf > > -CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) > +# Generate unique Diffie-Hellman group with 2048-bit > +all-local: dhparams.pem > + > +dhparams.pem: > + openssl dhparam -out dhparams.pem 2048 > + > +CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem > diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py > index e3e35b4..5dcca65 100644 > --- a/src/kimchi/proxy.py > +++ b/src/kimchi/proxy.py > @@ -68,6 +68,9 @@ def _create_proxy_config(options): > with open(key, "w") as f: > f.write(ssl_gen.key_pem()) > > + # Setting up Diffie-Hellman group with 2048-bit file > + dhparams_pem = os.path.join(config_dir, "dhparams.pem") > + > # Read template file and create a new config file > # with the specified parameters. > with open(os.path.join(nginx_config_dir, "kimchi.conf.in")) as > template: > @@ -78,7 +81,8 @@ def _create_proxy_config(options): > kimchid_port=options.cherrypy_port, > proxy_ssl_port=options.ssl_port, > cert_pem=cert, cert_key=key, > - max_body_size=eval(options.max_body_size)) > + max_body_size=eval(options.max_body_size), > + dhparams_pem=dhparams_pem) > > # Write file to be used for nginx. > config_file = open(os.path.join(nginx_config_dir, > "kimchi.conf"), "w") > diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am > index 0241b37..c754947 100644 > --- a/src/nginx/Makefile.am > +++ b/src/nginx/Makefile.am > @@ -21,3 +21,5 @@ EXTRA_DIST = kimchi.conf.in > > confdir = $(sysconfdir)/nginx/conf.d > dist_conf_DATA = kimchi.conf.in > + > +CLEANFILES = kimchi.conf > diff --git a/src/nginx/kimchi.conf.in b/src/nginx/kimchi.conf.in > index 3ecbde4..b0faea3 100644 > --- a/src/nginx/kimchi.conf.in > +++ b/src/nginx/kimchi.conf.in > @@ -53,7 +53,9 @@ http { > ssl_certificate ${cert_pem}; > ssl_certificate_key ${cert_key}; > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > - ssl_ciphers > ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL; > + ssl_ciphers > 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; > + ssl_prefer_server_ciphers on; > + ssl_dhparam ${dhparams_pem}; > > add_header Strict-Transport-Security "max-age=31536000; > includeSubdomains;"; > add_header X-Frame-Options DENY; _______________________________________________ Kimchi-devel mailing list Kimchi-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel