[aklug] Re: heads-up for OpenSSL change affecting TLS using 512-bit DH parameters

From: Royce Williams <royce@tycho.org>
Date: Thu Jun 11 2015 - 19:32:58 AKDT

On Thu, Jun 11, 2015 at 6:21 PM, Royce Williams <royce@tycho.org> wrote:
> A semi-OT public-service announcement for Alaskan geeks, since this is
> the largest forum I'm aware of that contains them. :) It will also
> directly impact any Linux users trying to get to certain web sites,
> including some Alaskan ones. I've been doing some research into SSL
> and TLS recently, so I thought I could provide a heads-up.
>
> Today's OpenSSL annoucement here:
>
> https://www.openssl.org/news/secadv_20150611.txt
>
> ... says:
>
> "OpenSSL has added protection for TLS clients by rejecting handshakes
> with DH parameters shorter than 768 bits. This limit will be increased
> to 1024 bits in a future release."
>
> This is in response to the recently publicized Logjam vulnerability:
>
> https://weakdh.org/
>
>
> As these new OpenSSL patches ripple across the Internet, TLS to the
> following Alaska-affiliated web sites may be affected, because they
> are using 512-bit DH parameters:
>
> akaerospace.com
> akalpinelodge.com
> alaskanmalamute.org
> cityofbarrow.org
> cityofsitka.com
> denalitek.com
> g2const.com
> kbrw.org
> rt.rbcak.org
> web.akalpinelodge.com
> yakandyetialaska.com
>
>
> The list of sites using 768-bit is quite a bit larger, and while
> they're not currently affected by the OpenSSL patches, their days are
> numbered. Action in advance is likely called for. They are as
> follows:
>
> 511ride.alaska.gov
> afsy-swvmm1.asrcfederal.com
> akdesktops.bannerhealth.com
> calendars.k12northstar.org
> climate.iarc.uaf.edu
> eingang.uui-alaska.com
> filter.ideafamilies.org
> follett.nsbsd.org
> mail.k12northstar.org
> mobility.alaskaheart.com
> msggw1.asrc.com
> n-central.structured.com
> nwc-vueadmin.users.nome.uaf.edu
> p6.aicllc.com
> ps.ideafamilies.org
> ps.jsd.k12.ak.us
> ps.juneauschools.org
> ps.nwarctic.org
> pw.matsuk12.us
> pwr.asrc.com
> pwr.asrcfederal.com
> pwr.iaminupiaq.com
> remote.alaskaheart.com
> school.kgbsd.org
> smg2.asrcfederal.com
> smtp.ideafamilies.org
> solarwindsvm.asrcfederal.com
> spam1.asrcfederal.com
> sslvpn.hccontractors.net
> sslvpn.kakivik.com
> support.matsuk12.us
> tempo.arcticslope.org
> vdi.dol.alaska.gov
> webmail.k12northstar.org
> webvac.muni.org
> xtr.correct.state.ak.us
> zimbra.k12northstar.org
> zmail.k12northstar.org
>
> Even those sites running at 1024 bit are affected (though only by
> attackers at the nation-state level, as I understand it). That list
> of hostnames is even longer, and I will defer publishing that for now
> in the interest of brevity. :)
>
> If you are an admin for one of these sites, please go to the Qualys
> SSL Labs server tester to test your site to confirm the weak DH
> parameters, and find tips on how to address the issue:
>
> https://www.ssllabs.com/ssltest/
>
> If you aren't the admin for one of these sites but you know who is,
> please forward this message accordingly.
>
> I've worked with the Qualys results quite a bit, and have also tweaked
> the SSL/TLS parameters in Windows and Linux/Apache land, so if you (or
> they) have any questions, feel free to ping me.
>
> As a side note, be aware that the OpenSSL team will stop supporting
> the 0.9.8 and 1.0.0 branches of OpenSSL after December 2015. There's
> probably a lot of embedded Linux, Linux VPSes, and Linux-based
> appliances out there using these flavors of OpenSSL, so you should
> probably start hunting for them now.

I forgot to mention: a number of these look as though their SSL is
inadvertent, in that DNS maps that hostname (or its www) to an IP
which speaks SSL/TLS on TCP 443, but the server certificate is not
configured for that hostname. Unfortunately, there's no way to
definitively ascertain the administrative intent of the original
implementors, so all such sites should be checked by the geeks who
care about them.

These references may also be helpful:

http://en.wikipedia.org/wiki/Server_Name_Indication
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jun 11 19:33:40 2015

This archive was generated by hypermail 2.1.8 : Thu Jun 11 2015 - 19:33:40 AKDT