[
https://issues.apache.org/jira/browse/KNOX-566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14619217#comment-14619217
]
Jeffrey E Rodriguez commented on KNOX-566:
-------------------------------------------
Hi Larry, I can ask some of IBM Jdk colleagues about the ability to create
appropriately sized keys.
Here is some info I found about standard Jdk thus assume it also applies to
OpenJDK which is the one we use.
The server I tested has OpenJDK 1.7 thus the DH key is by default 768 bits.
I am reading
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys
In Jdk 1.8 the DH key meets the minimum which is 1024 bits which means most
clients (browsers) should work with Knox on JDK 1.8,
"You can specify one of the following values for this property:
Undefined: A DH key of size 1024 bits will be used always for
non-exportable cipher suites. This is the default value for this property.
legacy: The JSSE Oracle provider preserves the legacy behavior (for
example, using ephemeral DH keys of sizes 512 bits and 768 bits) of JDK 7 and
earlier releases.
matched: For non-exportable anonymous cipher suites, the DH key size in
ServerKeyExchange messages is 1024 bits. For X.509 certificate based
authentication (of non-exportable cipher suites), the DH key size matching the
corresponding authentication key is used, except that the size must be between
1024 bits and 2048 bits. For example, if the public key size of an
authentication certificate is 2048 bits, then the ephemeral DH key size should
be 2048 bits unless the cipher suite is exportable. This key sizing scheme
keeps the cryptographic strength consistent between authentication keys and
key-exchange keys.
A valid integer between 1024 and 2048, inclusively: A fixed ephemeral DH
key size of the specified value, in bits, will be used for non-exportable
cipher suites.
"
> Knox Jetty server is vulnerable to Logjam vulnerability
> -------------------------------------------------------
>
> Key: KNOX-566
> URL: https://issues.apache.org/jira/browse/KNOX-566
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 0.5.0
> Environment: Red Hat Enterprise Linux Server release 6.4 (Santiago)
> Reporter: Jeffrey E Rodriguez
> Fix For: 0.7.0
>
>
> See description of logjam
> "The Logjam Attack"
> https://weakdh.org/
> To test you should do:
> [root@bdvs1392 logs]# openssl s_client -connect bdvs1392.svl.ibm.com:8443
> -cipher "EDH" | grep "Server Temp Key"
> depth=0 C = US, ST = Test, L = Test, O = Hadoop, OU = Test, CN =
> bdvs1392.svl.ibm.com
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, ST = Test, L = Test, O = Hadoop, OU = Test, CN =
> bdvs1392.svl.ibm.com
> verify return:1
> Server Temp Key: DH, 768 bits
> The key should >= 1024
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
