Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The signing key's size is 208 bits which is not secure enough #60

Closed
8666 opened this issue Jan 31, 2024 · 4 comments
Closed

The signing key's size is 208 bits which is not secure enough #60

8666 opened this issue Jan 31, 2024 · 4 comments

Comments

@8666
Copy link

8666 commented Jan 31, 2024

This is what I get in the GUI after trying the Provision certificates for your data nodes step:

THE SIGNING KEY'S SIZE IS 208 BITS WHICH IS NOT SECURE ENOUGH FOR THE HS256 ALGORITHM. THE JWT JWA SPECIFICATION (RFC 7518, SECTION 3.2) STATES THAT KEYS USED WITH HS256 MUST HAVE A SIZE >= 256 BITS (THE KEY SIZE MUST BE GREATER THAN OR EQUAL TO THE HASH OUTPUT SIZE). CONSIDER USING THE IO.JSONWEBTOKEN.SECURITY.KEYS CLASS'S 'SECRETKEYFOR(SIGNATUREALGORITHM.HS256)' METHOD TO CREATE A KEY GUARANTEED TO BE SECURE ENOUGH FOR HS256. SEE HTTPS://TOOLS.IETF.ORG/HTML/RFC7518#SECTION-3.2 FOR MORE INFORMATION.

in console:

datanode | Caused by: io.jsonwebtoken.security.WeakKeyException: The signing key's size is 208 bits which is not secure enough for the HS256 algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HS256 MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys class's 'secretKeyFor(SignatureAlgorithm.HS256)' method to create a key guaranteed to be secure enough for HS256. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
@janheise
Copy link
Contributor

@8666 Hi, do you use the .env file for your settings? Did you run pwgen -N 1 -s 96 or did you create a shorter secret?

@8666
Copy link
Author

8666 commented Jan 31, 2024

oh that's it.. I used my own password generator.

@8666 8666 closed this as completed Jan 31, 2024
@janheise
Copy link
Contributor

janheise commented Jan 31, 2024
edited
Loading

@8666 I'm glad that it's working now. Can you please comment which exact version you were using? I was under the impression that we fixed that exact problem by printing an error message and fail the start of the DataNode. But maybe you used an older version?

Edit: just saw that the change was not backported into our current 5.2.x releases. We will do that asap.

@8666
Copy link
Author

8666 commented Jan 31, 2024

Tried 5.2 then 5.2.3

The console error was from datanode. The problem is that I did not read the whole .env file .. or the instructions are too long.

The setup should be doable without looking at the console long for the very first password

Also it is not clear what password should be used after you finish the setup. I created also a long 2nd password for GRAYLOG_ROOT_PASSWORD_SHA2
so I have a very long web admin password :)

@8666 8666 reopened this Jan 31, 2024
@8666 8666 closed this as completed Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janheise @8666