DataPower

 View Only

  • 1.  Difficulties with key length and the Diffie-Hellman cipher

    Posted Fri January 31, 2020 03:52 AM
    My customer recently moved from firmware level 2018.4.1.6 to level 2018.4.1.9.
    They are now experiencing errors such as "ssl-client (LDAP_SSL_CLIENT_PROFILE): SSL library error: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small".
    My understanding is that the security rules about the Diffie-Hellman cipher have been strengthened in DP (between 2018.4.1.6 and 2018.4.1.9) and that the key returned by the LDAP server while negociating the SSL handshake is now regarded as too short by DataPower. I guess that the customer has to:
    - Either upgrade their LDAP server so that it returns a larger key.
    - Or disable the Diffie-Hellman ciphers in their DP crypto profiles.
    Could you please tell me:
    - What is now the minimum key length accepted by DP for the DH ciphers?
    - When this strengthening was introduced? (I did not find any related APAR in the lists of fixes).

    ------------------------------
    Patrick Marie
    ------------------------------


  • 2.  RE: Difficulties with key length and the Diffie-Hellman cipher

    Posted Mon February 03, 2020 09:31 AM
    Hi!

    I had a similar issue last week with one of our customers; they were moving between SSL Proxy Profiles and the new Crypto Profiles configuration (they were running 2018.4.1.7 but using old deprecated objects) and found that some legacy clients were failing to handshake as DataPower was imposing a 2048 length key... so I guess it's not been introduced at x.9 ...maybe .7 or earlier.

    We solved the issue by using old crypto objects in DataPower... I'd suggest that although not the recommended option (please remember that deprecated objects might stop working in the near future and, mainly, that such DH small keys imply a high security risk) that you configure old deprecated SSL Proxy Profiles for this connection... this would "solve" your issue and so give you more time to choose between the proposed options (either move away from DH or just increase the key length and revert changes in DataPower)

    I hope this helps!!! ...it indeed did for my customer :)

    ------------------------------
    Victor Garcia
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Difficulties with key length and the Diffie-Hellman cipher

    Posted Wed February 26, 2020 10:25 AM

    I cannot answer which APAR is responsible for the message to appear in 2018.4.1.9 and not in 2018.4.1.6.

    I looked up firmware code, and the "dh key too small" message was added back in 2015 for this CVE:

    https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-diffie-hellman-ciphers-affects-ibm-datapower-gateways-cve-2015-4000/

    5 CVE APARs have been fixed after 2018.4.1.6:

    https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-diffie-hellman-ciphers-affects-ibm-datapower-gateways-cve-2015-4000/
    If you want to know which was responsible for the new error message, please create a question type support ticket.



    ------------------------------
    Hermann Stamm-Wilbrandt
    DataPower, XML Compiler developer, L3
    IBM
    Boeblingen
    49-7031-16-3032
    ------------------------------

    Original Message


  • 4.  RE: Difficulties with key length and the Diffie-Hellman cipher

    Posted Wed February 26, 2020 10:27 AM

    Sorry, this is 2018.4.1 fixlist link:

    https://www.ibm.com/support/pages/node/316533#2018.4.1.7



    ------------------------------
    Hermann Stamm-Wilbrandt
    Compiler Level 3 support & Fixpack team lead
    IBM DataPower Gateways (⬚ᵈᵃᵗᵃ / ⣏⠆⡮⡆⢹⠁⡮⡆⡯⠂⢎⠆⡧⡇⣟⡃⡿⡃)
    ------------------------------

    Original Message