Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add log for tls diffie–hellman ephemeral key #1508

Merged
merged 1 commit into from
Dec 30, 2023
Merged

Add log for tls diffie–hellman ephemeral key #1508

merged 1 commit into from
Dec 30, 2023

Conversation

michaelortmann
Copy link
Member

@michaelortmann michaelortmann commented Nov 28, 2023
edited
Loading

Found by: michaelortmann
Patch by: michaelortmann
Fixes:

One-line summary:
Add log for tls diffie–hellman ephemeral key

Additional description (if needed):
While at it, enhance log, remove a tailing '\n' from the result of SSL_CIPHER_description()

Test cases demonstrating functionality (if applicable):
Before:

[11:56:42] TLS: certificate valid from Nov 27 22:37:17 2023 GMT to Nov 26 22:37:17 2024 GMT
[11:56:42] TLS: cipher used: TLS_AES_256_GCM_SHA384 TLSv1.3; 256 bits (256 secret)
[11:56:42] TLS: cipher details: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD

[11:56:42] TLS: state change: SSLv3/TLS write session ticket

After:

[11:57:25] TLS: certificate valid from Nov 27 22:37:17 2023 GMT to Nov 26 22:37:17 2024 GMT
[11:57:25] TLS: cipher used: TLS_AES_256_GCM_SHA384, 256 of 256 secret bits used for cipher, TLSv1.3
[11:57:25] TLS: cipher details: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
[11:57:25] TLS: diffie–hellman ephemeral key used: X25519, bits 253
[11:57:25] TLS: state change: SSLv3/TLS write session ticket

Tested with openssl 3.1.4, 1.1.1w and 1.0.2u

@vanosg
Copy link
Member

vanosg commented Dec 1, 2023

Can you educate me on what this information would be used for? Not in a generic "what it does" sense, but more at the debug level, why a user would want/need to see this information? At first glance, I'm not sure there a troubleshooting use case or demand signal to add something like this.

@michaelortmann
Copy link
Member Author

im a security nerd and kinda paranoid.

i want to be able to check, if the tls connection is secure, and for me its not enough to check key fingerprint, i want to be able to check if the tls handshake itself is secure. for example, for the key you would want to check the fingerprint, but how are you gonna check that secure dh parameters are used? a while ago, we added the option to eggdrop to give it custom dh file. with tls 1.3 things changed again and X25519 is state of the art. this PR adds the ability for anyone to check the security of this vital part of dh, and in consequence of tls.

@vanosg vanosg added this to the v1.10.0 milestone Dec 30, 2023
@vanosg vanosg merged commit eb4ec42 into eggheads:develop Dec 30, 2023
1 check passed
@michaelortmann michaelortmann deleted the tmp_key branch January 3, 2024 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.10.0
Development

Successfully merging this pull request may close these issues.
2 participants
@michaelortmann @vanosg