Hi
the logjam attack comes in two part. One is about downgrading
cipher choice because a TLS setup allows EWPORT ciphers. glusterfs
can thwart this by setting ssl.cipher-list to something hardened enough
(ECDH:DH:!TLSv1:!aNULL!eNULL seems nice);
Second part is about using pre-computed DH paramaeters. It can be
worked around aither by
- removing DH ciphers, which leads to a lack of diversity we may regret
later
- computing your own DH params using openssl dhparam command. Unfortunately
glusterfs cannot use that.
Adding support for loading a DH parameter file is not very difficult:
/* generate: openssl dhparam 2048 > /etc/ssl/dhparam.pem */
#define DEFAULT_DHPARAM_PATH DEFAULT_ETC_SSL "/dhparam.pem"
/* default: priv->ssl_dhparam = DEFAULT_DHPARAM_PATH; */
/* (...) */
DH *dhpatams;
BIO *bio;
if ((bio = BIO_new_file(priv->ssl_dhparam, "r")) != NULL) {
dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
BIO_free(bio);
} else {
/* display error */
}
I am a bit too busy on other fronts to submit code, but whoever is
interested.... Of course there should also be the code for
setting a transport.socket.ssl-dhparam option so that
DEFAULT_DHPARAM_PATH does not remain hard-coded.
--
Emmanuel Dreyfus
manu@xxxxxxxxxx
_______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://www.gluster.org/mailman/listinfo/gluster-devel
