> [[email protected] - Wed Mar 31 09:30:53 2010]: > > Hello: > > I am doing some development of Diffie-Hellman key agreement with > libcrypto on Fedora 12. I would like to use quite large DH primes, > 12K and 16K bit in size, and maybe larger. There appears to be a > check in the OpenSSL code that limits the size "arbitrarily" to > 10,000, I presume as a sanity check. I would like to request a change > that would allow for a way to raise this value by some means that > didn't involve recompiling the code... I really don't care by which > means, an environment variable would be fine, or a config file, or a > different API function... >
It's there to prevent an effective DoS attack where a huge DH key is used by an untrusted attacker to consume resources. We could provide an override to that. The easiest would be to include a flag in the DH structure which would disable the check if it was set. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
