|
|
|
|
|
|
|
|
|
|
xen-api
Re: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits
On 18/06/10 19:47, Ben Pfaff wrote:
> # HG changeset patch
> # User Ben Pfaff <blp@xxxxxxxxxx>
> # Date 1276886800 25200
> # Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62
> # Parent 2fa5560e38434b07089e04e2542ea50c00586864
> Increase SSL private key from 512 to 1024 bits.
>
> At Nicira, we are experimenting with the idea of converting XAPI
> SSL keys to SSH keys. In some cases this might be convenient for
> giving XenServers access to remote resources without distributing
> a second set of keys.
>
> OpenSSH, however, refuses to accept RSA keys shorter than 768 bits
> for use in authentication. So this change is necessary, to make
> XAPI generate keys longer than the current default of 512 bits.
>
> Additionally, RSA says "512-bit keys no longer provide sufficient
> security for anything more than very short-term security needs"
> (http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems
> like a good idea in any case.
>
> Increasing the key length makes generating the key at installation
> time take a bit longer, but the difference is not significant:
> on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl
> genrsa 1024" takes about 100 ms.
>
> Signed-off-by: Ben Pfaff <blp@xxxxxxxxxx>
>
> diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert
> --- a/scripts/generate_ssl_cert Thu Jun 17 17:31:00 2010 +0100
> +++ b/scripts/generate_ssl_cert Fri Jun 18 11:46:40 2010 -0700
> @@ -33,7 +33,7 @@
> CN = ${CN}
> @eof
>
> -openssl genrsa > privkey.rsa
> +openssl genrsa 1024 > privkey.rsa
> openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config config
> -out cert.csr
> openssl dhparam 512 > dh.pem
This change looks perfectly fine to me.
Cheers,
M
--
Magnus Therning
magnus.therning@xxxxxxxxxxxxx Jabber: magnusth@eng
There does not now, nor will there ever, exist a programming language
in which it is the least bit hard to write bad programs.
-- Flon's Axiom
_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
|
|
|
|
|