There are several weaknesses in how Diffie-Hellman key exchange has been
deployed, allowing a man-in-the-middle attack named Logjam, more details
here:
https://weakdh.org.
This patch improves the security in Nginx server, generating 2048bit
DH-Parameters or longer when using 2048bit RSA keys.
Some parameters before patch:
echo | openssl s_client -connect localhost:8001 -cipher "DH"
Cipher : DHE-RSA-AES256-GCM-SHA384
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Server Temp Key: DH, 1024 bits
Some parameters after patch:
echo | openssl s_client -connect localhost:8001 -cipher "DH"
Cipher : DHE-RSA-AES256-GCM-SHA384
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Server Temp Key: DH, 2048 bits (*)
This patch also changes the Ciphers allowed by Nginx, change build
scripts and the RPM spec file to deliver new file: dhparams.pem.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo(a)linux.vnet.ibm.com>
---
Makefile.am | 1 +
contrib/kimchi.spec.fedora.in | 3 ++-
src/Makefile.am | 8 +++++++-
src/kimchi/proxy.py | 6 +++++-
src/nginx/Makefile.am | 2 ++
src/nginx/kimchi.conf.in | 4 +++-
6 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 46b0b5b..5f2b401 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -133,6 +133,7 @@ install-data-local:
touch $(DESTDIR)/var/log/kimchi/kimchi-access.log
touch $(DESTDIR)/var/log/kimchi/kimchi-error.log
mkdir -p $(DESTDIR)/etc/kimchi/
+ $(INSTALL_DATA) src/nginx/dhparams.pem $(DESTDIR)/etc/kimchi/dhparams.pem
touch $(DESTDIR)/etc/nginx/conf.d/kimchi.conf
uninstall-local:
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index dc5533a..de40fd1 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -34,6 +34,7 @@ Requires: python-ldap
Requires: python-libguestfs
Requires: libguestfs-tools
BuildRequires: libxslt
+BuildRequires: openssl
BuildRequires: python-lxml
%if 0%{?rhel} >= 6 || 0%{?fedora} >= 19
@@ -153,7 +154,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/kimchi/distros.d/opensuse.json
%{_sysconfdir}/kimchi/distros.d/ubuntu.json
%{_sysconfdir}/kimchi/distros.d/gentoo.json
-%{_sysconfdir}/kimchi/
+%{_sysconfdir}/kimchi/*
%{_sharedstatedir}/kimchi/debugreports/
%{_sharedstatedir}/kimchi/screenshots/
%{_sharedstatedir}/kimchi/vnc-tokens/
diff --git a/src/Makefile.am b/src/Makefile.am
index 38d231c..e0e0821 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -45,4 +45,10 @@ kimchid: kimchid.in Makefile
kimchi.conf: kimchi.conf.in Makefile
$(do_substitution) < kimchi.conf.in > kimchi.conf
-CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES)
+# Generate unique Diffie-Hellman group with 2048-bit
+all-local: dhparams.pem
+
+dhparams.pem:
+ openssl dhparam -out dhparams.pem 2048
+
+CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index e3e35b4..5dcca65 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -68,6 +68,9 @@ def _create_proxy_config(options):
with open(key, "w") as f:
f.write(ssl_gen.key_pem())
+ # Setting up Diffie-Hellman group with 2048-bit file
+ dhparams_pem = os.path.join(config_dir, "dhparams.pem")
+
# Read template file and create a new config file
# with the specified parameters.
with open(os.path.join(nginx_config_dir, "kimchi.conf.in")) as template:
@@ -78,7 +81,8 @@ def _create_proxy_config(options):
kimchid_port=options.cherrypy_port,
proxy_ssl_port=options.ssl_port,
cert_pem=cert, cert_key=key,
- max_body_size=eval(options.max_body_size))
+ max_body_size=eval(options.max_body_size),
+ dhparams_pem=dhparams_pem)
# Write file to be used for nginx.
config_file = open(os.path.join(nginx_config_dir, "kimchi.conf"),
"w")
diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
index 0241b37..c754947 100644
--- a/src/nginx/Makefile.am
+++ b/src/nginx/Makefile.am
@@ -21,3 +21,5 @@ EXTRA_DIST = kimchi.conf.in
confdir = $(sysconfdir)/nginx/conf.d
dist_conf_DATA = kimchi.conf.in
+
+CLEANFILES = kimchi.conf
diff --git a/src/nginx/kimchi.conf.in b/src/nginx/kimchi.conf.in
index 3ecbde4..b0faea3 100644
--- a/src/nginx/kimchi.conf.in
+++ b/src/nginx/kimchi.conf.in
@@ -53,7 +53,9 @@ http {
ssl_certificate ${cert_pem};
ssl_certificate_key ${cert_key};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL;
+ ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
+ ssl_prefer_server_ciphers on;
+ ssl_dhparam ${dhparams_pem};
add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
add_header X-Frame-Options DENY;
--
2.1.0