HomeClusterLabs Projects
Diffusion Pacemaker 875e2d1bd846

Fix: libcrmcommon: get DH prime bit length from GnuTLS API
875e2d1bd846
Actions

Description

Fix: libcrmcommon: get DH prime bit length from GnuTLS API

Previously, Pacemaker hard-coded a prime length of 1024 bits when generating
Diffie-Hellman parameters for a TLS server. This value was chosen in 2007,
but the ideal value increases over time.

The current best practice is to allow the client and server to negotiate
Diffie-Hellman parameters using a TLS extension (RFC 7919). However, we have to
support both older versions of GnuTLS that don't support the extension on our
side, and older Pacemaker versions that don't support the extension on the
other side.

We can improve the situation by querying the GnuTLS library for an appropriate
prime length, when the library supports that.

This also refactors the DH initialization code into a new library function,
and handles errors by logging and failing, rather than continuing with
insufficiently initialized parameters.

Details

Provenance
kgaillotAuthored on Sep 6 2018, 1:54 PM
Parents
rPef5e209fbbad: Low: libcrmcommon: improve TLS session initialization failure handling
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (5)

PathSize
daemons/
based/
execd/
include/
crm/
common/
lib/
common/

rP875e2d1bd846

View Options

configure.ac

Loading...
View Options

daemons/based/based_remote.c

Loading...
View Options

daemons/execd/remoted_tls.c

Loading...
View Options

include/crm/common/remote_internal.h

Loading...
View Options

lib/common/remote.c

Loading...