ECFLOW-1790: Default to 2048-bit dh keys

ecmwf / ecflow

ECMWF's workflow manager

Apache License 2.0

41 stars 15 forks source link

ECFLOW-1790: Default to 2048-bit dh keys #13

Closed mpartio closed 2 years ago

mpartio commented 2 years ago

RHEL8 requires at least 2048-bit dh key in it's default crypto configuration, to prevent Log Jam attacks.

Openssl is also slowly moving towards accepting only bigger keys, the current minimum length being 768 bits.

In ecFlow by default try to use a 2048-bit dh key. For backwards compatibility fall back to a 1024-bit key, even if that might mean that Openssl might reject it.

For more information see 'Logjam' security vulnerability

https://weakdh.org

FussyDuck commented 2 years ago

All committers have signed the CLA.

shahramn commented 2 years ago

I am just checking the file ./SCRATCH/src/server.cpp ( the change here is not backward compatible) But it seems this is a test file and is not even compiled

iainrussell commented 2 years ago

Nice! Thank you @mpartio and @shahramn !