Bug 1679841

Summary: Diffie-Hellman keysize < 2048 in logging-es
Product: OpenShift Container Platform Reporter: sfu <sfu>
Component: LoggingAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.9.0CC: aos-bugs, jcantril, jinjli, openshift-bugs-escalate, rmeggins
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift3/logging-elasticsearch:v3.9.73-1 Doc Type: Bug Fix
Doc Text:
Cause: The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048) Consequence: The keys are more vulnerable Fix: Increase the key strength Result: The certificates are more secure
 Story Points: ---
Clone Of:
: 1685655 (view as bug list) Environment:
Last Closed: 2019-04-09 14:20:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1685655, 1686140    

Description sfu@redhat.com 2019-02-22 02:01:53 UTC 
Description of problem:

SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).


Version-Release number of selected component (if applicable):
OCP version 3.9.51
ES image version 3.9.43


How reproducible:
Customer using Vulnerability scanning tool to get this issue report

Steps to Reproduce:
in ES 3.9 image,it doesn't contains openssl command,cannot sure the keysize length,but in 3.11 it seems the default keysize is already 2048bit:

===================================================================
sh-4.2$ openssl s_client -connect www.example.com:443 -cipher "EDH" | grep "Server Temp Key"
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
Server Temp Key: DH, 2048 bits

sh-4.2$ rpm -qa |grep openssl
openssl-1.0.2k-12.el7.x86_64
openssl-libs-1.0.2k-12.el7.x86_64
===================================================================
Comment 5 Rich Megginson 2019-03-11 15:48:54 UTC 
https://github.com/openshift/origin-aggregated-logging/pull/1553
Comment 6 Rich Megginson 2019-03-11 17:52:07 UTC 
merged upstream https://github.com/openshift/origin-aggregated-logging/commit/4f414d0b9076bb096a329b1d1cc78e895b954815
Comment 8 Anping Li 2019-03-25 09:43:59 UTC 
Verified the fix is in elasticsearch:v3.9.74
Comment 10 errata-xmlrpc 2019-04-09 14:20:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0619