ecmwf / ecflow

ECMWF's workflow manager
Apache License 2.0
41 stars 15 forks source link

ECFLOW-1790: Default to 2048-bit dh keys #12

Closed mpartio closed 2 years ago

mpartio commented 2 years ago

RHEL8 requires at least 2048-bit dh key in it's default crypto configuration, to prevent Log Jam attacks.

Openssl is also slowly moving towards accepting only bigger keys, the current minimum length being 768 bits.

In ecFlow by default try to use a 2048-bit dh key. For backwards compatibility fall back to a 1024-bit key, even if that might mean that Openssl might reject it.

For more information see 'Logjam' security vulnerability

https://weakdh.org

FussyDuck commented 2 years ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.