Bug 1989713
| Summary: | OpenSSL client accepts weak (1024 bit) DH parameters with both LEGACY and DEFAULT policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Alicja Kario <hkario> |
| Component: | openssl | Assignee: | Sahana Prasad <sahana> |
| Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | CentOS Stream | CC: | bstinson, dbelyavs, jwboyer |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openssl-3.0.0-5.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:36:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2035249 | ||
| Bug Blocks: | |||
|
Description
Alicja Kario
2021-08-03 18:43:14 UTC
Server setup: openssl dhparam 1024 -out dhparam.pem openssl req -x509 -newkey rsa -keyout server.pem -out cert.pem -subj /CN=localhost -nodes -batch openssl s_server -cert cert.pem -key server.pem -dhparam dhparam.pem -cipher DHE:@SECLEVEL=1 -www -no_tls1_3 Client setup: openssl s_client -no_tls1_3 -CAfile cert.pem Client output: 000003FF80472710:error:0A00018A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2085: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: openssl), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3900 |