Skip to content

MCLOUD-6469: dh key too small when trying to use magento-cloud-docker-tls #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 14, 2020
Merged

MCLOUD-6469: dh key too small when trying to use magento-cloud-docker-tls #273

merged 2 commits into from
Aug 14, 2020

Conversation

oshmyheliuk
Copy link
Contributor

@oshmyheliuk oshmyheliuk commented Aug 11, 2020
edited by meker12
Loading

Description

Changed security level in /etc/ssl/openssl.cnf to avoid dh key too small error

Fixed Issues (if relevant)

https://jira.corp.magento.com/browse/MCLOUD-6469

Manual testing scenarios

  1. Install magento 2.4.0 in docker
  2. Connect to fpm container:
    docker exec -it magento-cloud_fpm_1 bash
  3. Run command
    curl -k https://tls.magento2.docker/ will return an error dh key too small
  4. Run docker-compose down -v
  5. Build php fpm image from branch
    docker build -t magento-cloud-docker-php-fpm-6469 images/php/7.4-fpm
  6. Change docker-compose.yaml file
  fpm:
    hostname: fpm.magento2.docker
    image: 'magento-cloud-docker-php-fpm-6469'
  1. Run docker-compose up -d
    docker-compose run build cloud-build
    docker-compose run deploy cloud-deploy
    docker-compose run deploy cloud-post-deploy
  2. Connect to fpm container:
    docker exec -it magento-cloud_fpm_1 bash
  3. Run command
    curl -k https://tls.magento2.docker/ command run without error

Release notes

Changed the security level in the OpenSSL configuration file (/etc/ssl/openssl.cnf) to fix a dh key too small error that occurs on TLS connection requests in the Cloud Docker environment.

Associated documentation updates

Not required.

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • Pull request introduces user-facing changes and includes meaningful release notes and documentation
  • All commits are accompanied by meaningful commit messages

@m2-community-project m2-community-project bot added the Progress: review PR/issue status label Aug 11, 2020
mkozell
mkozell reviewed Aug 11, 2020
View reviewed changes
Copy link

@mkozell mkozell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would the solution be to change how the SSL key and certificate are generated in tls.magento2.docker compared to changing the SECLEVEL in the PHP images? Doesn't changing SECLEVEL from 2 to 1 decrease security?

@oshmyheliuk
Copy link
Contributor Author

oshmyheliuk commented Aug 12, 2020
edited
Loading

@mkozell I tried to generate RSA:2048, RSA:4096, and RSA:8192 but still have the same error.
According to the description of SECLEVEL=2 it should be enough but it doesn't work.

Level 2
Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.

Do you know how to generate certificate and keys which satisfies SECLEVEL=2

@mveeramneni mveeramneni self-assigned this Aug 12, 2020
@mveeramneni
Copy link

QA Approved

@shiftedreality shiftedreality merged commit 58a078b into develop Aug 14, 2020
@shiftedreality shiftedreality deleted the MCLOUD-6469 branch August 14, 2020 20:36
@shiftedreality shiftedreality mentioned this pull request Aug 14, 2020
Closed
@mkozell
Copy link

mkozell commented Aug 17, 2020

@mkozell I tried to generate RSA:2048, RSA:4096, and RSA:8192 but still have the same error.
According to the description of SECLEVEL=2 it should be enough but it doesn't work.

Level 2
Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.

Do you know how to generate certificate and keys which satisfies SECLEVEL=2

It looks like a newer version of Pound may be needed for supporting larger DH keys.

@oshmyheliuk
Copy link
Contributor Author

@mkozell Yes, Pound 2.7+ supports longer keys, we already have pr for that #277

@andriyShevtsov andriyShevtsov mentioned this pull request Nov 7, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkozell mkozell mkozell left review comments

@BaDos BaDos BaDos approved these changes

@shiftedreality shiftedreality shiftedreality approved these changes

Assignees

@BaDos BaDos

@mkozell mkozell

@shiftedreality shiftedreality

@mveeramneni mveeramneni

Labels
Progress: done Release: 1.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@oshmyheliuk @mveeramneni @mkozell @BaDos @shiftedreality