search

Graylog2 / docker-compose

A set of Docker Compose files that allow you to quickly spin up a Graylog instance for testing or demo purposes.
Apache License 2.0
357 stars 134 forks source link

The signing key's size is 208 bits which is not secure enough #60

Closed 8666 closed 5 months ago

8666 commented 5 months ago

This is what I get in the GUI after trying the Provision certificates for your data nodes step:

THE SIGNING KEY'S SIZE IS 208 BITS WHICH IS NOT SECURE ENOUGH FOR THE HS256 ALGORITHM. THE JWT JWA SPECIFICATION (RFC 7518, SECTION 3.2) STATES THAT KEYS USED WITH HS256 MUST HAVE A SIZE >= 256 BITS (THE KEY SIZE MUST BE GREATER THAN OR EQUAL TO THE HASH OUTPUT SIZE). CONSIDER USING THE IO.JSONWEBTOKEN.SECURITY.KEYS CLASS'S 'SECRETKEYFOR(SIGNATUREALGORITHM.HS256)' METHOD TO CREATE A KEY GUARANTEED TO BE SECURE ENOUGH FOR HS256. SEE HTTPS://TOOLS.IETF.ORG/HTML/RFC7518#SECTION-3.2 FOR MORE INFORMATION.

in console:

datanode | Caused by: io.jsonwebtoken.security.WeakKeyException: The signing key's size is 208 bits which is not secure enough for the HS256 algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HS256 MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys class's 'secretKeyFor(SignatureAlgorithm.HS256)' method to create a key guaranteed to be secure enough for HS256. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.

janheise commented 5 months ago

@8666 Hi, do you use the .env file for your settings? Did you run pwgen -N 1 -s 96 or did you create a shorter secret?

8666 commented 5 months ago

oh that's it.. I used my own password generator.

janheise commented 5 months ago

@8666 I'm glad that it's working now. Can you please comment which exact version you were using? I was under the impression that we fixed that exact problem by printing an error message and fail the start of the DataNode. But maybe you used an older version?

Edit: just saw that the change was not backported into our current 5.2.x releases. We will do that asap.

8666 commented 5 months ago

Tried 5.2 then 5.2.3

The console error was from datanode. The problem is that I did not read the whole .env file .. or the instructions are too long.

The setup should be doable without looking at the console long for the very first password

Also it is not clear what password should be used after you finish the setup. I created also a long 2nd password for GRAYLOG_ROOT_PASSWORD_SHA2 so I have a very long web admin password :)