Re: [PATCH] virnettlshelpers: Update private key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/13/21 11:25 AM, Peter Krempa wrote:
> On Tue, Jul 13, 2021 at 08:57:30 +0200, Michal Privoznik wrote:
>> In not so distant past (v6.5.0~3) I've updated the private key we
>> use for virnettls* tests. Back then I was driven by Fedora 33
>> change which deprecated RSA-1024 which we used back then. I
>> generated an EC-384 key which was fine as it was considered
>> strong enough until RHEL-9 came along. RHEL-9 no longer considers
>> any of EC keys strong enough (for key exchange) and thus we're
>> back to RSA, but this time with 2048 bits. Generated by this cmd
>> line:
> 
> I'd go for 4096 bits to stay ahead a bit.
> 
>>
>>   openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
>>
>> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
>> ---
> 
> My quick google search yielded just some JDK changes for improving the
> implementation of EC algorithms:
> 
> https://bugs.openjdk.java.net/browse/JDK-8208698
> 
> but nothing that would state it's no longer secure or anything.
> 
> Either way.
> 
> Reviewed-by: Peter Krempa <pkrempa@xxxxxxxxxx>
> 

Alright, so after more debugging this turned out to be a bug in
crypto-policies package in RHEL-9. It's fixed by the following commit:

https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a5e64bb9a4afcd67965218ba41e28a6839aa9a12

And I can confirm that with that commit the virnettlssessiontest passes
again. Thus I think this patch can be discarded.

Michal




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux