[openssl.org #2875] Limited rsa keysize

2014-06-29 Thread Stephen Henson via RT 
This case now prints out library errors which will make it clear that the
operation failed because the key is too large. Ticket resolved.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2875] Limited rsa keysize

2012-09-12 Thread Stephen Henson via RT 
 [daniel-marsch...@viathinksoft.de - Wed Sep 12 14:14:40 2012]:
 
 Hello, I found out that the rsa keysize is limited.
 Here is my script: http://www.viathinksoft.de/~daniel-
 marschall/asn.1/rsa-keysize-check/openssl_rsa32768_bug/
 I cannot create a 32768 bits certificate which I want to create as
 test certificate to find limits in the implementations of x509
 parsers.
 
 

This is intentional as excessively large key sizes can be used in DoS
attacks.

If you compile openssl with -DOPENSSL_RSA_MAX_MODULUS_BITS=number you
can specify an alternative value to the default which is 16384 bits.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2875] Limited rsa keysize

2012-09-12 Thread Daniel Marschall via RT 
Thanks for your reply! Ok, this is an understandable reason.

But I still think this is an issue because the error message (''keys do not 
match'') is very misleading and does not point to the actual problem - the 
intentionally limitation. There should be an error message which describes that 
this is an internationally limitation and that the limitation can be changed 
with the compiler switch/constant you described.

Also I wonder, why did OpenSSL create the key and the csr (successfully?) if 
there is a limitation?

Daniel



Stephen Henson via RT r...@openssl.org schrieb:

 [daniel-marsch...@viathinksoft.de - Wed Sep 12 14:14:40 2012]:
 
 Hello, I found out that the rsa keysize is limited.
 Here is my script: http://www.viathinksoft.de/~daniel-
 marschall/asn.1/rsa-keysize-check/openssl_rsa32768_bug/
 I cannot create a 32768 bits certificate which I want to create as
 test certificate to find limits in the implementations of x509
 parsers.
 
 

This is intentional as excessively large key sizes can be used in DoS
attacks.

If you compile openssl with -DOPENSSL_RSA_MAX_MODULUS_BITS=number you
can specify an alternative value to the default which is 16384 bits.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

Thanks for your reply! Ok, this is an understandable reason.

But I still think this is an issue because the error message (keys do not match) is very misleading and does not point to the actual problem - the intentionally limitation. There should be an error message which describes that this is an internationally limitation and that the limitation can be changed with the compiler switch/constant you described.

Also I wonder, why did OpenSSL create the key and the csr (successfully?) if there is a limitation?

Daniel

Stephen Henson via RT r...@openssl.org schrieb:
 [daniel-marsch...@viathinksoft.de - Wed Sep 12 14:14:40 2012]:Hello, I found out that the rsa keysize is limited.Here is my script: http://www.viathinksoft.de/~daniel-marschall/asn.1/rsa-keysize-check/openssl_rsa32768_bug/I cannot create a 32768 bits certificate which I want to create astest certificate to find limits in the implementations of x509parsers.This is intentional as excessively large key sizes can be used in DoSattacks.If you compile openssl with -DOPENSSL_RSA_MAX_MODULUS_BITS=number youcan specify an alternative value to the default which is 16384 bits.Steve.