Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12217 closed defect (fixed)

Fix website weak key exchange

Reported by: UserUnknown Owned by:
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Keywords:
Cc: tom@…, Sebastian Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The website uses a 2048 bit certificate, but when PFS ciphers are used(DHE), the key-exchange is limited to 1024 bits, because the DH parameters are configured to 1024 bits.

https://www.ssllabs.com/ssltest/analyze.html?d=torproject.org

(If it's possible, please enable OCSP stapling was well.)

Child Tickets

Change History (5)

comment:1 Changed 5 years ago by tom

Cc: tom@… added

comment:2 Changed 5 years ago by Sebastian

Cc: Sebastian added
Component: WebsiteTor Sysadmin Team

This is for the sysadmins to decide

comment:3 Changed 5 years ago by weasel

Resolution: fixed
Status: newclosed

I don't think this is an issue anymore. If it still is, please re-open and provide more information.

comment:4 Changed 5 years ago by tom

I can confirm it is still an issue (ssllabs indicates 1024 bit groups still in use, it's in the ciphersuite table), but based off http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html it appears upgrading the group would require patching and compiling 2.2 or upgrading to 2.4.

comment:5 Changed 5 years ago by weasel

Then this too will have to wait for jessie.

Note: See TracTickets for help on using tickets.