OpenSSL 3 started generating DH parameters that are not considered valid by DH_check for older OpenSSL 1.0.2.

Since we can't change clients in the wild, I generated a set of DH params (openssl dhparam 2048) on an older OpenSSL 1.0.2 which appears to be considered acceptable by both versions of OpenSSL.

This fixes the set of DH parameters (instead of generating them each time), which is fairly typical, and also increases the size from 512 (insecure) to 2048.

Fixes #2014

You can view, comment on, or merge this pull request online at:

https://github.com/xrootd/xrootd/pull/2026

Commit Summary

28d616b Switch to a fixed set of DH parameters compatible with older OpenSSL.

File Changes

(2 files)

M src/XrdCrypto/XrdCryptosslCipher.cc (25)
M src/XrdCrypto/XrdCryptosslCipher.hh (2)

Patch Links:

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/2026", "url": "https://github.com/xrootd/xrootd/pull/2026", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1