Proposal - SSL Cipher Negotiation Design Change

[poly]

hello,

Firstly, sorry for email sent by mistake earlier.

I have an inquiry regarding chrome's handling of the logjam attack and a possible improvement.

While playing around with some servers with short DH keys (poor configuration, not malicious) I saw both FF
+and Chrome fail the connection with an error similiar to "ssl_error_weak_server_ephemeral_dh_key", just as
+expected. However, if I disabled DHE-based ciphers, the server simply upgraded to a more secure TLS cipher
+and everything worked out fine.

My question is: would there be any security risk with renegotiating TLS ciphers if the browser encounters a
+weak DH key? The implementation in mind is that if FF/Chrome recieve such a weak key, they would restart the
+connection, only avoiding the options like "dhe_rsa_aes_128_sha" and "dhe_rsa_aes_256_sha". I imagine this
+would significantly improve usability.

--
poly
@0xPoly
http://darkdepths.net/pages/public-keys.html

[Ryan Sleevi]

-security-dev (to bcc)

+net-dev

Yes, the security risk is this would allow an attacker to disable forward secrecy by forcing a fallback.