On Mon, Sep 8, 2014 at 5:59 PM, Salz, Rich <rs...@akamai.com> wrote: > We are considering changing the default keysize (RSA, DSA, DH) from 1K to > 2K, and changing the default signing digest from SHA-1 to SHA-256.
No complaints from me for 1K or 2K, but... $ cd openssl-1.0.1i $ grep -R 512 * | grep -v -i sha ... apps/dhparam.c:#define DEFBITS 512 apps/enc.c:#define SIZE (512) apps/gendh.c:#define DEFBITS 512 apps/gendsa.c:#define DEFBITS 512 apps/req.c:#define DEFAULT_KEY_LENGTH 512 ... ***** The change of the default hash could be painful because its currently hard coded in some places. It may (or may not) effect signing behavior. The potential problem is down level clients may not be able to interop because they can't make a selection. (I encountered it some time ago, but I don't have a reference because I don't recall the details). Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org