WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

Re: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits

To: Ben Pfaff <blp@xxxxxxxxxx>
Subject: Re: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits
From: Magnus Therning <magnus.therning@xxxxxxxxxxxxx>
Date: Mon, 21 Jun 2010 14:16:53 +0100
Cc: "xen-api@xxxxxxxxxxxxxxxxxxx" <xen-api@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 21 Jun 2010 06:21:07 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1cb91e8f0b3fbca60d39.1276886855@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <1cb91e8f0b3fbca60d39.1276886855@xxxxxxxxxxxxxxxxxxx>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100407 Lightning/1.0b2pre Shredder/3.0.4
On 18/06/10 19:47, Ben Pfaff wrote:
> # HG changeset patch
> # User Ben Pfaff <blp@xxxxxxxxxx>
> # Date 1276886800 25200
> # Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62
> # Parent  2fa5560e38434b07089e04e2542ea50c00586864
> Increase SSL private key from 512 to 1024 bits.
> 
> At Nicira, we are experimenting with the idea of converting XAPI
> SSL keys to SSH keys.  In some cases this might be convenient for
> giving XenServers access to remote resources without distributing
> a second set of keys.
> 
> OpenSSH, however, refuses to accept RSA keys shorter than 768 bits
> for use in authentication.  So this change is necessary, to make
> XAPI generate keys longer than the current default of 512 bits.
> 
> Additionally, RSA says "512-bit keys no longer provide sufficient
> security for anything more than very short-term security needs"
> (http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems
> like a good idea in any case.
> 
> Increasing the key length makes generating the key at installation
> time take a bit longer, but the difference is not significant:
> on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl
> genrsa 1024" takes about 100 ms.
> 
> Signed-off-by: Ben Pfaff <blp@xxxxxxxxxx>
> 
> diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert
> --- a/scripts/generate_ssl_cert       Thu Jun 17 17:31:00 2010 +0100
> +++ b/scripts/generate_ssl_cert       Fri Jun 18 11:46:40 2010 -0700
> @@ -33,7 +33,7 @@
>  CN = ${CN}
>  @eof
>  
> -openssl genrsa > privkey.rsa
> +openssl genrsa 1024 > privkey.rsa
>  openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config config 
> -out cert.csr
>  openssl dhparam 512 > dh.pem

This change looks perfectly fine to me.

Cheers,
M

-- 
Magnus Therning
magnus.therning@xxxxxxxxxxxxx          Jabber: magnusth@eng

There does not now, nor will there ever, exist a programming language
in which it is the least bit hard to write bad programs.
     -- Flon's Axiom

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

<Prev in Thread] Current Thread [Next in Thread>