Red Hat Bugzilla – Bug 1021946
socat: default DH parameters should be larger
Last modified: 2017-10-03 21:24:53 EDT
At least a 1024 bit prime should be used as the default. Generating a file with the parameters at installation time might not be feasible, but it would prevent any appearance of choosing a special prime that makes the discrete logarithm problem feasible.
Author: Gerhard Rieger <email@example.com>
Date: Sun Jan 4 16:38:36 2015 +0100
FIPS requires 1024 bit DH prime
(In reply to Florian Weimer from comment #4)
> Upstream fix:
> commit 281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0
> Author: Gerhard Rieger <firstname.lastname@example.org>
> Date: Sun Jan 4 16:38:36 2015 +0100
> FIPS requires 1024 bit DH prime
This upstream fix:
was found to be problematic - see CVE-2016-2217 / bug 1305437, and replaced with:
this fix is in 184.108.40.206 as well
Any update, why don't we upgrade socat?
+1 for this, socat has also issues when used in MariaDB Galera cluster with SSL/TLS SST - https://jira.mariadb.org/browse/MDEV-9403
Please, rebase socat to latest stable 220.127.116.11 version.
I needed it for additional fun with MariaDB, so I've rebuilt the package with COPR: https://copr.fedorainfracloud.org/coprs/mstefany/socat/