Logjam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

the logjam attack comes in two part. One is about downgrading 
cipher choice because a TLS setup allows EWPORT ciphers. glusterfs 
can thwart this by setting ssl.cipher-list to something hardened enough
(ECDH:DH:!TLSv1:!aNULL!eNULL seems nice);

Second part is about using pre-computed DH paramaeters. It can be
worked around aither by
- removing DH ciphers, which leads to a lack of diversity we may regret
  later
- computing your own DH params using openssl dhparam command. Unfortunately
  glusterfs cannot use that.

Adding support for loading a DH parameter file is not very difficult:
  /* generate: openssl dhparam 2048 > /etc/ssl/dhparam.pem */ 
  #define DEFAULT_DHPARAM_PATH     DEFAULT_ETC_SSL "/dhparam.pem"
  /* default: priv->ssl_dhparam = DEFAULT_DHPARAM_PATH; */
  /* (...) */

  DH *dhpatams;
  BIO *bio;
  if ((bio = BIO_new_file(priv->ssl_dhparam, "r")) != NULL) {
    dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
    SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
    BIO_free(bio);
  } else {
    /* display error */
  }

I am a bit too busy on other fronts to submit code, but whoever is
interested.... Of course there should also be the code for
setting a transport.socket.ssl-dhparam option so that 
DEFAULT_DHPARAM_PATH does not remain hard-coded.

-- 
Emmanuel Dreyfus
manu@xxxxxxxxxx
_______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://www.gluster.org/mailman/listinfo/gluster-devel




[Index of Archives]     [Gluster Users]     [Ceph Users]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux