Package: ssl-cert Version: 1.0.26 Severity: normal this is the shipped version of /usr/share/ssl-cert/ssleay.cnf, which is used for make-ssl-cert to generate the default key and "snakeoil" certificate.
----------------- # # SSLeay example configuration file. # RANDFILE = /dev/urandom [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name prompt = no policy = policy_anything [ req_distinguished_name ] commonName = @HostName@ -------------------------------- It should default to 2048 bits at least, not 1024. * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ It would be a shame if squeeze shipped with this default set below some common expectations of a key to last at least the lifetime of a debian release. Thanks for maintaining ssl-cert! --dkg -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.36-rc5-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ssl-cert depends on: ii adduser 3.112 add and remove users and groups ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy ii openssl 0.9.8o-2 Secure Socket Layer (SSL) binary a ssl-cert recommends no packages. Versions of packages ssl-cert suggests: ii openssl-blacklist 0.5-2 list of blacklisted OpenSSL RSA ke -- debconf information excluded -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
