Majic Projects ~ [CLOSED] MAR-153 - Use custom Diffie–Hellman parameters for services that utilise TLS connections

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

Majic Ansible Roles / Closed Enhancement MAR-153 Use custom Diffie–Hellman parameters for services that utilise TLS connections

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Enhancement Unknown issue type
Issue label

No label set
Category

Not determined
Targetted for

5.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

May 02, 2020
Last updated

May 19, 2020
Estimated time

Not estimated
Time spent

4 hours No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

Current implementation of Majic Ansible Roles enforces use of TLS with strong ciphers wherever that is feasible. However, at the moment the Diffie-Hellman parameters, used in combination with a number of ciphers, are kept at their default values, which in most cases results in key sizes of 512 or 1024 bits. There is a number of problems with this:

It is insecure due to existence of Logjam attack.
Certain TLS implementations will trigger errors upon encountering such small key sizes, resulting in an effective inability to use the services (for example, mail clients and Firefox on Ubuntu 20.04).

It would instead be better to generate DH parameters for services that use TLS, and to configure the services to use the generated DH parameters explicitly.

The following should be done:

Update the following roles:
- ldap_server
- mail_forwarder
- mail_server
- web_server
- xmpp_server
Generate a separate DH parameter for each service.
Configure the services to use the custom DH parameter.
Implement the necessary tests.
Update role reference documentation.
Update release notes.

This has been insecure for some time, and it would be desirable to switch to both explicitly generating the keys during deployment, and making sure that the generated key size is 2048 bits.

Todos (0 / 0)

Options

Issue created

Welcome to The Bug Genie

Log in with your username and password