Opened 4 months ago

Closed 3 months ago

#27344 closed defect (fixed)

Debian OpenSSL 1.1.1~~pre6-1 defaults to requiring 2048 bit RSA keys

Reported by: weasel Owned by:
Priority: Medium Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords: openssl, debian, 034-must, 035-must, 029-backport, 032-backport, 033-backport, 034-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by weasel)

Francois writes on https://bugs.debian.org/907351:

I get the following error in my logs approximately every 2 hours:

Aug 26 05:05:01 hostname Tor[25963]: TLS error while constructing a TLS context: dh key too small (in SSL routines:ssl3_ctx_ctrl:---)

I tried upgrading to the version in experimental and it also has this
problem.

[experimental had 0.3.4.6-rc-1 at that time.]

Child Tickets

Change History (8)

comment:1 Changed 4 months ago by weasel

Description: modified (diff)

comment:2 Changed 4 months ago by weasel

Note that the Debian openssl package has the default security level at 2 according to the packaging changelog.

openssl (1.1.1~~pre6-1) experimental; urgency=medium

  * New upstream version
  * Increase default security level from 1 to 2. This moves from the 80 bit
    security level to the 112 bit securit level and will require 2048 bit RSA
    and DHE keys.

[from https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/unstable_changelog]

Last edited 4 months ago by weasel (previous) (diff)

comment:3 Changed 4 months ago by teor

Keywords: openssl debian 034-must 035-must 029-backport 032-backport 033-backport 034-backport added
Milestone: Tor: 0.3.4.x-final
Summary: TLS error while constructing a TLS context: dh key too small (in SSL routines:ssl3_ctx_ctrl:---)Debian OpenSSL 1.1.1~~pre6-1 requires 2048 bit RSA keys
Version: Tor: 0.3.3.9Tor: unspecified

This appears to be a bug on Tor 0.0.9pre5, but we only backport to supported release series.

The following Tor subsystems use RSA 1024 bit keys:

  • relay and bridge legacy onion keys
  • authorities and bridge authorities parsing those keys
  • v2 onion services

Some helpful people on #tor-dev suggest that we set the security level at runtime:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html

We should fix this in 0.3.4, then backport to 0.2.9 and later.

comment:4 Changed 4 months ago by teor

Summary: Debian OpenSSL 1.1.1~~pre6-1 requires 2048 bit RSA keysDebian OpenSSL 1.1.1~~pre6-1 defaults to requiring 2048 bit RSA keys

comment:5 Changed 4 months ago by nickm

also, fwiw, the original warning is about DH keys. Nothing would break if we switched to using DH2048 groups in the cases where ECDHE isn't working.

comment:6 Changed 3 months ago by nickm

Status: newneeds_review

Please review branch ticket27344_029 -- the fix here is extremely simple.

PR at https://github.com/torproject/tor/compare/maint-0.2.9...nmathewson:ticket27344_029?expand=1

comment:7 Changed 3 months ago by asn

Status: needs_reviewmerge_ready

Code LGTM. Perhaps "these ciphers disabled by default" -> "these ciphers are disabled by default" in the changes file.

comment:8 Changed 3 months ago by nickm

Resolution: fixed
Status: merge_readyclosed

added "are" to changes file; merged to 0.2.9 and forward. Thanks!

Note: See TracTickets for help on using tickets.