#2385 new enhancement

node web server should use DHE/ECDHE suites automatically

Reported by: j3i Owned by: j3i
Priority: major Milestone: undecided
Component: code-frontend-web Version: 1.10.0
Keywords: security websec https forward-secrecy twisted Cc:
Launchpad Bug:

Description

Right now you have to manually generate Diffie-Hellman parameters and define them in the config if you want to use a node's web server via TLS and not be restricted to plain RSA authentication like this:

web.port = ssl:443:privateKey=key.pem:certKey=cert.pem:dhParameters=params.pem

The DH parameters should be provided automatically and cipher suites with PFS should work out of the box.

Change History (5)

comment:1 Changed at 2015-04-12T21:53:49Z by daira

  • Keywords security websec https added
  • Priority changed from normal to major

comment:2 Changed at 2015-04-12T21:59:17Z by daira

  • Keywords forward-secrecy twisted added

More recent Twisted supports ECDHE out-of-the-box, although I haven't checked whether there is anything preventing Tahoe from using it. Please check with Twisted 15.0.0 and report back whether this works now, without the :dhParameters=params.pem. (If you don't want to install Twisted 15 globally, you can edit the dependency in src/allmydata/_auto_deps.py to "Twisted >= 15.0.0" and rebuild.)

Last edited at 2015-04-13T23:12:27Z by daira (previous) (diff)

comment:3 Changed at 2015-04-12T22:00:46Z by daira

To see which version of Twisted is being used by Tahoe, run tahoe --version-and-path.

Last edited at 2015-04-12T22:01:05Z by daira (previous) (diff)

comment:4 Changed at 2015-04-12T22:02:07Z by daira

  • Owner set to j3i

comment:5 Changed at 2020-01-20T20:54:52Z by exarkun

It is indeed supported by Twisted but you still have to generate and supply your own dh params if you want to use DHE/ECDHE.

I'm not quite sure what the workflow for having Tahoe-LAFS generate these automatically should be, though.

Note: See TracTickets for help on using tickets.