-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The signing key's size is 208 bits which is not secure enough #60
Comments
@8666 Hi, do you use the |
oh that's it.. I used my own password generator. |
@8666 I'm glad that it's working now. Can you please comment which exact version you were using? I was under the impression that we fixed that exact problem by printing an error message and fail the start of the DataNode. But maybe you used an older version? Edit: just saw that the change was not backported into our current 5.2.x releases. We will do that asap. |
Tried 5.2 then 5.2.3 The console error was from datanode. The problem is that I did not read the whole .env file .. or the instructions are too long. The setup should be doable without looking at the console long for the very first password Also it is not clear what password should be used after you finish the setup. I created also a long 2nd password for GRAYLOG_ROOT_PASSWORD_SHA2 |
This is what I get in the GUI after trying the
Provision certificates for your data nodes
step:THE SIGNING KEY'S SIZE IS 208 BITS WHICH IS NOT SECURE ENOUGH FOR THE HS256 ALGORITHM. THE JWT JWA SPECIFICATION (RFC 7518, SECTION 3.2) STATES THAT KEYS USED WITH HS256 MUST HAVE A SIZE >= 256 BITS (THE KEY SIZE MUST BE GREATER THAN OR EQUAL TO THE HASH OUTPUT SIZE). CONSIDER USING THE IO.JSONWEBTOKEN.SECURITY.KEYS CLASS'S 'SECRETKEYFOR(SIGNATUREALGORITHM.HS256)' METHOD TO CREATE A KEY GUARANTEED TO BE SECURE ENOUGH FOR HS256. SEE HTTPS://TOOLS.IETF.ORG/HTML/RFC7518#SECTION-3.2 FOR MORE INFORMATION.
in console:
datanode | Caused by: io.jsonwebtoken.security.WeakKeyException: The signing key's size is 208 bits which is not secure enough for the HS256 algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HS256 MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys class's 'secretKeyFor(SignatureAlgorithm.HS256)' method to create a key guaranteed to be secure enough for HS256. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
The text was updated successfully, but these errors were encountered: