Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix: libcrmcommon: get DH prime bit length from GnuTLS API
Previously, Pacemaker hard-coded a prime length of 1024 bits when generating Diffie-Hellman parameters for a TLS server. This value was chosen in 2007, but the ideal value increases over time. The current best practice is to allow the client and server to negotiate Diffie-Hellman parameters using a TLS extension (RFC 7919). However, we have to support both older versions of GnuTLS that don't support the extension on our side, and older Pacemaker versions that don't support the extension on the other side. We can improve the situation by querying the GnuTLS library for an appropriate prime length, when the library supports that. This also refactors the DH initialization code into a new library function, and handles errors by logging and failing, rather than continuing with insufficiently initialized parameters.
- Loading branch information
Showing
5 changed files
with
62 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters