Re: [PATCH 2/2] virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On a Tuesday in 2021, Michal Privoznik wrote:
As encryption norms get more strict it's easy to fall on the
insecure side. For instance, so far we are generating 2048 bits
long prime for Diffie-Hellman keys. Some systems consider this
not long enough. While we may just keep increasing the value
passed to the corresponding gnutls_* function, that is not well
maintainable. Instead, we may do what's recommended in the

Is there a promise gnutls will increase those in the future?

gnutls_* manpage. From gnutls_dh_params_generate2(3):

 It is recommended not to set the number of bits directly, but
 use gnutls_sec_param_to_pk_bits() instead.

Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
bits corresponds to parameter MEDIUM. Therefore, we want to chose
the next size (HIGH) to be future proof.

IMO this patch should use MEDIUM and the bump should be separate.


1: https://www.gnutls.org/manual/gnutls.html#tab_003akey_002dsizes

Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
src/rpc/virnettlscontext.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)


Reviewed-by: Ján Tomko <jtomko@xxxxxxxxxx>

Jano

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux