MEDIUM: ssl: Disable DHE ciphers by default

DHE ciphers do not present a security risk if the key is big enough but
they are slow and mostly obsoleted by ECDHE. This patch removes any
default DH parameters. This will effectively disable all DHE ciphers
unless a global ssl-dh-param-file is defined, or
tune.ssl.default-dh-param is set, or a frontend has DH parameters
included in its PEM certificate. In this latter case, only the frontends
that have DH parameters will have DHE ciphers enabled.
Adding explicitely a DHE ciphers in a "bind" line will not be enough to
actually enable DHE. We would still need to know which DH parameters to
use so one of the three conditions described above must be met.

This request was described in GitHub issue #1604.

doc/configuration.txt

@@ -1960,9 +1960,10 @@ ssl-dh-param-file <file>
   which do not explicitly define theirs. It will be overridden by custom DH
   parameters found in a bind certificate file if any. If custom DH parameters
   are not specified either by using ssl-dh-param-file or by setting them
-  directly in the certificate file, pre-generated DH parameters of the size
+  directly in the certificate file, DHE ciphers will not be used, unless
-  specified by tune.ssl.default-dh-param will be used. Custom parameters are
+  tune.ssl.default-dh-param is set. In this latter case, pre-defined DH
-  known to be more secure and therefore their use is recommended.
+  parameters of the specified size will be used. Custom parameters are known to
+  be more secure and therefore their use is recommended.
   Custom DH parameters may be generated by using the OpenSSL command
   "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
   parameters should not be considered secure anymore.
@@ -2925,11 +2926,14 @@ tune.ssl.default-dh-param <number>
   the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
   final size will try to match the size of the server's RSA (or DSA) key (e.g,
   a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
-  this maximum value. Default value if 2048. Only 1024 or higher values are
+  this maximum value. Only 1024 or higher values are allowed. Higher values
-  allowed. Higher values will increase the CPU load, and values greater than
+  will increase the CPU load, and values greater than 1024 bits are not
-  1024 bits are not supported by Java 7 and earlier clients. This value is not
+  supported by Java 7 and earlier clients. This value is not used if static
-  used if static Diffie-Hellman parameters are supplied either directly
+  Diffie-Hellman parameters are supplied either directly in the certificate
-  in the certificate file or by using the ssl-dh-param-file parameter.
+  file or by using the ssl-dh-param-file parameter.
+  If there is neither a default-dh-param nor a ssl-dh-param-file defined, and
+  if the server's PEM file of a given frontend does not specify its own DH
+  parameters, then DHE ciphers will be unavailable for this frontend.
 
 tune.ssl.ssl-ctx-cache-size <number>
   Sets the size of the cache used to store generated certificates to <number>

include/haproxy/defaults.h

@@ -354,7 +354,7 @@
 
 /* ssl max dh param size */
 #ifndef SSL_DEFAULT_DH_PARAM
-#define SSL_DEFAULT_DH_PARAM 2048
+#define SSL_DEFAULT_DH_PARAM 0
 #endif
 
 /* max memory cost per SSL session */

reg-tests/ssl/ssl_dh.vtc

@@ -2,9 +2,10 @@
 
 # This reg-tests checks that the DH-related mechanisms works properly.
 # When no DH is specified, either directly in the server's PEM or through a
-# ssl-dh-param-file global option, in case of DHE negotiation, the hard coded
+# ssl-dh-param-file global option, and no tune.ssl.default-dh-param is defined,
-# DH parameters included in the sources will be used. We will use DH parameters
+# DHE ciphers are disabled.
-# of the same size as the server's RSA or DSA key.
+# If a default-dh-param is defined, we will use DH parameters of the same size
+# as the server's RSA or DSA key, or default-dh-param if it is smaller.
 # This test has three distinct HAProxy instances, one with no DH-related option
 # used, one with the tune.ssl.default-dh-param global parameter set, and one
 # with an ssl-dh-param-file global option.
@@ -123,8 +124,8 @@ haproxy h3 -conf {
 client c1 -connect ${h1_clearlst_sock} {
   txreq
   rxresp
-  expect resp.status == 200
+  # No DH parameters are defined, DHE ciphers are unavailable
-  expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
+  expect resp.status == 503
 } -run
 
 client c2 -connect ${h2_clearlst_dfltdh_sock} {
@@ -144,18 +145,11 @@ client c3 -connect ${h3_clearlst_dhfile_sock} {
 client c4 -connect ${h1_clearlst_sock} {
   txreq -url "/gencert"
   rxresp
-  expect resp.status == 200
+  # No DH parameters are defined, DHE ciphers are unavailable
-  expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
+  expect resp.status == 503
 } -run
 
 
-#
-# Check the size of the DH key
-#
-shell {
-    echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 2048 bits"
-}
-
 # On the second HAProxy instance, even if default-dh-param is set to 4096, this
 # value is only considered as a maximum DH key length and we will always try to
 # match the server's certificate key length in our DHE key exchange (2048 bits
@@ -168,11 +162,6 @@ shell {
     echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dhfile.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
 }
 
-shell {
-    echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt_gencert.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 2048 bits"
-}
-
-
 
 #
 # Add a custom DH to the server's PEM certificate
@@ -191,6 +180,8 @@ shell {
 
 #
 # Check that all the SSL backend <-> SSL frontend connections still work
+# Common.pem now contains DH parameters so the first instance's frontends
+# can now use DHE ciphers.
 #
 client c5 -connect ${h1_clearlst_sock} {
   txreq

src/ssl_sock.c

@@ -3215,8 +3215,6 @@ static void ssl_sock_set_tmp_dh_from_pkey(SSL_CTX *ctx, EVP_PKEY *pkey)
 		if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh))
 			HASSL_DH_free(dh);
 	}
-	else
-		SSL_CTX_set_dh_auto(ctx, 1);
 }
 #endif
 
@@ -3421,14 +3419,8 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 		if (!ssl_sock_set_tmp_dh(ctx, dh)) {
 			memprintf(err, "%sunable to load the DH parameter specified in '%s'",
 				  err && *err ? *err : "", path);
-#if defined(SSL_CTX_set_dh_auto)
-			SSL_CTX_set_dh_auto(ctx, 1);
-			memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
-				  err && *err ? *err : "");
-#else
 			memprintf(err, "%s, DH ciphers won't be available.\n",
 				  err && *err ? *err : "");
-#endif
 			ret |= ERR_WARN;
 			goto end;
 		}
@@ -3443,14 +3435,8 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 		if (!ssl_sock_set_tmp_dh(ctx, global_dh)) {
 			memprintf(err, "%sunable to use the global DH parameter for certificate '%s'",
 				  err && *err ? *err : "", path);
-#if defined(SSL_CTX_set_dh_auto)
-			SSL_CTX_set_dh_auto(ctx, 1);
-			memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
-				  err && *err ? *err : "");
-#else
 			memprintf(err, "%s, DH ciphers won't be available.\n",
 				  err && *err ? *err : "");
-#endif
 			ret |= ERR_WARN;
 			goto end;
 		}
@@ -3459,39 +3445,38 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 		/* Clear openssl global errors stack */
 		ERR_clear_error();
 
-		if (global_ssl.default_dh_param && global_ssl.default_dh_param <= 1024) {
+		/* We do not want DHE ciphers to be added to the cipher list
-			/* we are limited to DH parameter of 1024 bits anyway */
+		 * unless there is an explicit global dh option in the conf.
-			if (local_dh_1024 == NULL)
+		 */
-				local_dh_1024 = ssl_get_dh_1024();
+		if (global_ssl.default_dh_param) {
+			if (global_ssl.default_dh_param <= 1024) {
+				/* we are limited to DH parameter of 1024 bits anyway */
+				if (local_dh_1024 == NULL)
+					local_dh_1024 = ssl_get_dh_1024();
 
-			if (local_dh_1024 == NULL) {
+				if (local_dh_1024 == NULL) {
-				memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
+					memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
-					  err && *err ? *err : "", path);
+						  err && *err ? *err : "", path);
-				ret |= ERR_ALERT | ERR_FATAL;
+					ret |= ERR_ALERT | ERR_FATAL;
-				goto end;
+					goto end;
-			}
+				}
 
-			if (!ssl_sock_set_tmp_dh(ctx, local_dh_1024)) {
+				if (!ssl_sock_set_tmp_dh(ctx, local_dh_1024)) {
-				memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
+					memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
-					  err && *err ? *err : "", path);
+						  err && *err ? *err : "", path);
-#if defined(SSL_CTX_set_dh_auto)
+					memprintf(err, "%s, DH ciphers won't be available.\n",
-				SSL_CTX_set_dh_auto(ctx, 1);
+						  err && *err ? *err : "");
-				memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
+					ret |= ERR_WARN;
-					  err && *err ? *err : "");
+					goto end;
-#else
+				}
-				memprintf(err, "%s, DH ciphers won't be available.\n",
-					  err && *err ? *err : "");
-#endif
-				ret |= ERR_WARN;
-				goto end;
 			}
-		}
+			else {
-		else {
 #if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
-			SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
+				SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
 #else
-			ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL);
+				ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL);
 #endif
+			}
 		}
 	}
 
@@ -4828,21 +4813,12 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 #endif
 
 #ifndef OPENSSL_NO_DH
-	if (global_ssl.default_dh_param >= 1024) {
+	if (!local_dh_1024)
-		if (local_dh_1024 == NULL) {
+		local_dh_1024 = ssl_get_dh_1024();
-			local_dh_1024 = ssl_get_dh_1024();
+	if (!local_dh_2048)
-		}
+		local_dh_2048 = ssl_get_dh_2048();
-		if (global_ssl.default_dh_param >= 2048) {
+	if (!local_dh_4096)
-			if (local_dh_2048 == NULL) {
+		local_dh_4096 = ssl_get_dh_4096();
-				local_dh_2048 = ssl_get_dh_2048();
-			}
-			if (global_ssl.default_dh_param >= 4096) {
-				if (local_dh_4096 == NULL) {
-					local_dh_4096 = ssl_get_dh_4096();
-				}
-			}
-		}
-	}
 #endif /* OPENSSL_NO_DH */
 
 	SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);