Description of problem: SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048). Version-Release number of selected component (if applicable): OCP version 3.9.51 ES image version 3.9.43 How reproducible: Customer using Vulnerability scanning tool to get this issue report Steps to Reproduce: in ES 3.9 image,it doesn't contains openssl command,cannot sure the keysize length,but in 3.11 it seems the default keysize is already 2048bit: =================================================================== sh-4.2$ openssl s_client -connect www.example.com:443 -cipher "EDH" | grep "Server Temp Key" depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA verify return:1 depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org verify return:1 Server Temp Key: DH, 2048 bits sh-4.2$ rpm -qa |grep openssl openssl-1.0.2k-12.el7.x86_64 openssl-libs-1.0.2k-12.el7.x86_64 ===================================================================
https://github.com/openshift/origin-aggregated-logging/pull/1553
merged upstream https://github.com/openshift/origin-aggregated-logging/commit/4f414d0b9076bb096a329b1d1cc78e895b954815
Verified the fix is in elasticsearch:v3.9.74
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0619