----- Original Message ----- > From: "Wilfried Klaebe" <[email protected]> > To: [email protected] > Sent: Thursday, 3 July, 2014 11:42:08 PM > Subject: Re: [PATCH] LibReSSL/OpenSSL: Adjust/remove keysize restrictions > > Am Thu, Jul 03, 2014 at 07:20:46PM +0200 schrieb Kurt Roeckx: > > On Thu, Jul 03, 2014 at 08:08:52AM -0400, Hubert Kario wrote: > > > ----- Original Message ----- > > > > From: "Benny Baumann" <[email protected]> > > > > To: [email protected], [email protected] > > > > Sent: Wednesday, 2 July, 2014 8:49:18 PM > > > > Subject: [PATCH] LibReSSL/OpenSSL: Adjust/remove keysize restrictions > > > > > > > > Hi folks, > > > > > > > > I know the following patches will cause a controversy just like the > > > > issues they resolve caused me and several other people headaches when > > > > debugging them. > > > > > > > > But first things first. The attached patches (intentionally) do the > > > > following two things: > > > > > > > > 1. Adjust the limit for maximum allowed size of a received public key > > > > to > > > > be increased from 516 bytes (just barely enough for 4 KBit RSA public > > > > keys) up to 8200 bytes (enough for 64KBit RSA keys with some minor > > > > margin) > > > > > > > > 2. Remove the crippling of the DH/DSA routines for working with at most > > > > 10kBit parameters. > > > > > > Current general recommendation is that if you require more than 128 bit > > > security > > > you shouldn't be using RSA or DHE in the first place but use ECC. > > You'd need someone signing your ECC certificates though.
There are generally trusted CAs that have >4k keys? I haven't seen one. There certainly isn't one in the Mozilla trust store. on the other hand, I see 5 384 bit ECC roots... I also saw few websites "in the wild" that were using them, so they are using them for signing > > > I won't even mention the whole issue of actually configuring TLS for more > > > than > > > 128 bit security... > > > > I've had a request in Debian about this too for someone using a > > 16384 bit key. > > Some two people using a 8192 and a 8200 bit CAcert signed RSA certificate. > One of them me and the other one the author and submitter of these > patches. If the root that performs signing (CAcert) is using 4096 bit RSA key and you're using DHE or ECDHE you won't gain anything from going over 4096 bit for the server certificate... The weakest link will be the CA key one way or another. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
