On Thu, Jul 03, 2014 at 11:42:08PM +0200, Wilfried Klaebe wrote: > Am Thu, Jul 03, 2014 at 07:20:46PM +0200 schrieb Kurt Roeckx: > > On Thu, Jul 03, 2014 at 08:08:52AM -0400, Hubert Kario wrote: > > > ----- Original Message ----- > > > > From: "Benny Baumann" <be...@geshi.org> > > > > To: openbsd-t...@openbsd.org, openssl-dev@openssl.org > > > > Sent: Wednesday, 2 July, 2014 8:49:18 PM > > > > Subject: [PATCH] LibReSSL/OpenSSL: Adjust/remove keysize restrictions > > > > > > > > Hi folks, > > > > > > > > I know the following patches will cause a controversy just like the > > > > issues they resolve caused me and several other people headaches when > > > > debugging them. > > > > > > > > But first things first. The attached patches (intentionally) do the > > > > following two things: > > > > > > > > 1. Adjust the limit for maximum allowed size of a received public key to > > > > be increased from 516 bytes (just barely enough for 4 KBit RSA public > > > > keys) up to 8200 bytes (enough for 64KBit RSA keys with some minor > > > > margin) > > > > > > > > 2. Remove the crippling of the DH/DSA routines for working with at most > > > > 10kBit parameters. > > > > > > Current general recommendation is that if you require more than 128 bit > > > security > > > you shouldn't be using RSA or DHE in the first place but use ECC. > > You'd need someone signing your ECC certificates though.
There are CAs doing ECC certificates. I see about 100 that trace back to the mozilla certificate store. They might not be popular, but it does exist and is being used. > > > Just generating 16k DH params takes inordinate amount of time. > > > With 4096 bit DH parameters I'm getting less than 20 key exchanges a > > > second > > > with a fast i7 CPU. > > > I'd hazard a guess that with 16k DH you'll be able to do less than 1 key > > > exchange > > > a second. > > > > > > That's a very neat way to DoS your server. > > That's why Benny suggested making the limit configurable instead of > flatly raising it. But the patch just raises the limit to something I think you shouldn't consider using. > > According to the NIST recommendations > > (http://www.keylength.com/en/4/), 16384 bit would be close to the > > 15360 bit if you want to reach the 256 bit level. > > > > But there currently is no way to reach the 256 level with TLS as > > far as I know. The best you can currently do is 192 bit, which > > would be a 7680 assymetric key. So I think that anything above > > 8192 bit doesn't make any sense at the moment. > > Considering that #319 is unresolved for nearly 12 years now, and part 1 > of this patch would at least mitigate that one for quite some time into > the future, could the OpenSSL Project please apply at least that one > really soon now, please? It got applied 12 years ago? Just not to the limit you want now. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
