Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document Diffie-Hellman key increase and set default to 2048 #689

Closed
de-jcup opened this issue Jul 6, 2021 · 1 comment · Fixed by #697
Closed

Document Diffie-Hellman key increase and set default to 2048 #689

de-jcup opened this issue Jul 6, 2021 · 1 comment · Fixed by #697
Assignees
@de-jcup
Labels
pds security server
Milestone
Server 0.26.0, PD...

Comments

@de-jcup
Copy link
Member

de-jcup commented Jul 6, 2021
edited

Situation

The default Diffie-Hellman key length in Java is still 1024. Reading https://weakdh.org/ you will find:

If you’re a sysadmin or developer …

Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

Wanted

We mention this in our SecHub and PDS documentation AND we set a default inside application.yaml for SecHub Server AND for PDS a default value of 2048.

Technical information/solution

Starting with JDK8 it became possible to set DH key length greater than 1024, by setting system property jdk.tls.ephemeralDHKeySize to wanted key size.

Links:
@de-jcup de-jcup changed the title Either document Diffie-Hellman key increase or set a default to 2048 Document Diffie-Hellman key increase and set default to 2048 Jul 6, 2021
@de-jcup de-jcup self-assigned this Jul 7, 2021
@de-jcup
Copy link
Member Author

de-jcup commented Jul 7, 2021
edited

Setting simply jdk.tls.ephemeralDHKeySizeinside application.yaml is unfortunately not the solution because it is not automatically injected by spring boot as system property.

So we will introduce

  • SecHubSystemPropertyInjector which handles spring boot value sechub.security.diffiehellman.length
  • PDSSystemPropertyInjector which handles spring boot value pds.security.diffiehellman.length

Values will be set as usual inside corresponding application.yaml and then injected automatically as system property jdk.tls.ephemeralDHKeySize by the injector.

(If there is a need to inject later another Java System Property, we can do this in the mentioned 2 classes for
SecHub and PDS as well, so we have a central point)

de-jcup added a commit that referenced this issue Jul 7, 2021
@de-jcup
Changed default diffie hellman length to 2048 #689
0986c96 
- introduce SystemPropertyInjector classes and
  special keys for PDS and SecHub server, so configurable
  by `application.yaml` files
- `application.yaml` files do now contain 2048 as default value
- documentation will be generated and points to issue at github
  for details
de-jcup added a commit that referenced this issue Jul 7, 2021
@de-jcup
Review changes #689
e27e4b0 
- dropped unnecessary (and wrong) comments
- updated javadoc
de-jcup added a commit that referenced this issue Jul 7, 2021
@de-jcup
Merge pull request #697 from Daimler/feature-689-document-dh-and-set-…
615e5d1 
…default-to-2048

Changed default diffie hellman length to 2048 #689
@de-jcup de-jcup mentioned this issue Jul 7, 2021
Merged
@de-jcup de-jcup closed this as completed Jul 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@de-jcup de-jcup

Labels
pds security server
Projects
None yet
Milestone
Server 0.26.0, PDS 0.23.0
Development

Successfully merging a pull request may close this issue.

Changed default diffie hellman length to 2048 #689 mercedes-benz/sechub
1 participant
@de-jcup