Package: python3-trustme
Version: 0.4.0-3
Severity: important
Tags: patch

Debian changed the default key size requirement to 2048 bits, thus keys
generated with trustme no longer work.

diff --git a/trustme/__init__.py b/trustme/__init__.py
index 7f2b37a..d0c50a5 100644
--- a/trustme/__init__.py
+++ b/trustme/__init__.py
@@ -33,7 +33,12 @@ except NameError:
 # On my laptop, making a CA + server certificate using 1024 bit keys takes ~40
 # ms, and using 4096 bit keys takes ~2 seconds. We want tests to run in 40 ms,
 # not 2 seconds.
-_KEY_SIZE = 1024
+#
+# However, Debian changed the default security level to 2 in openssl
+# 1.1.1~~pre9-1 (August 2018), which requires a minimum key size of 2048 bit or
+# larger for RSA and DHE keys. To avoid test failures on newer Debian systems
+# against OpenSSL, we must therefore use a key size of at least 2048 bits.
+_KEY_SIZE = 2048
 
 
 def _name(name, common_name=None):


-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (700, 'stable'), (600, 'unstable'), (550, 'experimental'), (550, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-trustme depends on:
ii  python3               3.7.3-1
ii  python3-cryptography  2.6.1-3
ii  python3-idna          2.6-1

python3-trustme recommends no packages.

python3-trustme suggests no packages.

Reply via email to