Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: prevent server from using dhe keys < 768 #3890

Closed
wants to merge 1 commit into from

Commits on Nov 19, 2015

  1. tls: prevent server from using dhe keys < 768

    As part of the fix for logjam, node was upgraded to a
    level of openssl which rejects connections to servers that
    are using keys smaller than 768 bits. It is still possible,
    however, to create a server that uses a smaller key size
    and and older client may be able to connect to it.
    
    This PR moves us to a secure by default stance on the
    server side as well, preventing the creation of a server
    using a dhe key size less than 768. This can be overridden
    with the command line option which is also added.
    
    It is derived from
    
    nodejs@9b35be5
    
    which was landed in later io.js/node versions but makes
    the limit 1024.  This PR uses the smaller limit in order
    to meet the recomendations for logjam while matching was
    was done on the client side in openssl to minimize the
    potential impacton users.
    
    The command line option will only be documented in the
    release notes and will not be added to the tls
    documentation.  The goal is that people who are
    upgrading are aware and can use the option if they
    run into issues, but otherwise the option is not
    visible/used.
    
    Address review comments 1
    
    Address second set of review comments
    mhdawson committed Nov 19, 2015
    Configuration menu
    Copy the full SHA
    634c2d4 View commit details
    Browse the repository at this point in the history