HomeClusterLabs Projects

Fix: libcrmcommon: get DH prime bit length from GnuTLS API

Description

Fix: libcrmcommon: get DH prime bit length from GnuTLS API

Previously, Pacemaker hard-coded a prime length of 1024 bits when generating
Diffie-Hellman parameters for a TLS server. This value was chosen in 2007,
but the ideal value increases over time.

The current best practice is to allow the client and server to negotiate
Diffie-Hellman parameters using a TLS extension (RFC 7919). However, we have to
support both older versions of GnuTLS that don't support the extension on our
side, and older Pacemaker versions that don't support the extension on the
other side.

We can improve the situation by querying the GnuTLS library for an appropriate
prime length, when the library supports that.

This also refactors the DH initialization code into a new library function,
and handles errors by logging and failing, rather than continuing with
insufficiently initialized parameters.

Details

Provenance
kgaillotAuthored on Sep 6 2018, 1:54 PM
Parents
rPef5e209fbbad: Low: libcrmcommon: improve TLS session initialization failure handling
Branches
Unknown
Tags
Unknown

Event Timeline