Majic Projects
Majic Ansible Roles
Go to the previous open issue
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
icon_project.png Majic Ansible Roles / Closed Enhancement MAR-153 Use custom Diffie–Hellman parameters for services that utilise TLS connections
Go to the next issue (open or closed)
Go to the next open issue
This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Enhancement
  • Category
    Not determined
  • Targetted for
    5.0.0
  • Status
    Closed
  • Progress
  • Priority
    Not determined
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    Not estimated
  • Time spent
    4 hours
    Click here to see time logged against this issue
Issue details
  • Resolution
    RESOLVED
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Description

Current implementation of Majic Ansible Roles enforces use of TLS with strong ciphers wherever that is feasible. However, at the moment the Diffie-Hellman parameters, used in combination with a number of ciphers, are kept at their default values, which in most cases results in key sizes of 512 or 1024 bits. There is a number of problems with this:

  • It is insecure due to existence of Logjam attack.
  • Certain TLS implementations will trigger errors upon encountering such small key sizes, resulting in an effective inability to use the services (for example, mail clients and Firefox on Ubuntu 20.04).

It would instead be better to generate DH parameters for services that use TLS, and to configure the services to use the generated DH parameters explicitly.

The following should be done:

  • Update the following roles:
    • ldap_server
    • mail_forwarder
    • mail_server
    • web_server
    • xmpp_server
  • Generate a separate DH parameter for each service.
  • Configure the services to use the custom DH parameter.
  • Implement the necessary tests.
  • Update role reference documentation.
  • Update release notes.

This has been insecure for some time, and it would be desirable to switch to both explicitly generating the keys during deployment, and making sure that the generated key size is 2048 bits.

Todos (0 / 0)
Issue created