Am Thu, Jul 03, 2014 at 07:20:46PM +0200 schrieb Kurt Roeckx: > On Thu, Jul 03, 2014 at 08:08:52AM -0400, Hubert Kario wrote: > > ----- Original Message ----- > > > From: "Benny Baumann" <be...@geshi.org> > > > To: openbsd-t...@openbsd.org, openssl-dev@openssl.org > > > Sent: Wednesday, 2 July, 2014 8:49:18 PM > > > Subject: [PATCH] LibReSSL/OpenSSL: Adjust/remove keysize restrictions > > > > > > Hi folks, > > > > > > I know the following patches will cause a controversy just like the > > > issues they resolve caused me and several other people headaches when > > > debugging them. > > > > > > But first things first. The attached patches (intentionally) do the > > > following two things: > > > > > > 1. Adjust the limit for maximum allowed size of a received public key to > > > be increased from 516 bytes (just barely enough for 4 KBit RSA public > > > keys) up to 8200 bytes (enough for 64KBit RSA keys with some minor margin) > > > > > > 2. Remove the crippling of the DH/DSA routines for working with at most > > > 10kBit parameters. > > > > Current general recommendation is that if you require more than 128 bit > > security > > you shouldn't be using RSA or DHE in the first place but use ECC.
You'd need someone signing your ECC certificates though. > > Just generating 16k DH params takes inordinate amount of time. > > With 4096 bit DH parameters I'm getting less than 20 key exchanges a second > > with a fast i7 CPU. > > I'd hazard a guess that with 16k DH you'll be able to do less than 1 key > > exchange > > a second. > > > > That's a very neat way to DoS your server. That's why Benny suggested making the limit configurable instead of flatly raising it. > > I won't even mention the whole issue of actually configuring TLS for more > > than > > 128 bit security... > > I've had a request in Debian about this too for someone using a > 16384 bit key. Some two people using a 8192 and a 8200 bit CAcert signed RSA certificate. One of them me and the other one the author and submitter of these patches. > According to the NIST recommendations > (http://www.keylength.com/en/4/), 16384 bit would be close to the > 15360 bit if you want to reach the 256 bit level. > > But there currently is no way to reach the 256 level with TLS as > far as I know. The best you can currently do is 192 bit, which > would be a 7680 assymetric key. So I think that anything above > 8192 bit doesn't make any sense at the moment. Considering that #319 is unresolved for nearly 12 years now, and part 1 of this patch would at least mitigate that one for quite some time into the future, could the OpenSSL Project please apply at least that one really soon now, please? Also, considering how long #319 is open, I think it's not a bad idea to raise the limit for DH primes from 10000 bit to 2^14 bit or even more before there's the need to open a new bug for that. Regards, Wilfried Klaebe ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
