Re: [PATCH 2/2] virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/22/21 14:12, Ján Tomko wrote:
> On a Tuesday in 2021, Michal Privoznik wrote:
>> As encryption norms get more strict it's easy to fall on the
>> insecure side. For instance, so far we are generating 2048 bits
>> long prime for Diffie-Hellman keys. Some systems consider this
>> not long enough. While we may just keep increasing the value
>> passed to the corresponding gnutls_* function, that is not well
>> maintainable. Instead, we may do what's recommended in the
> 
> Is there a promise gnutls will increase those in the future?
> 
>> gnutls_* manpage. From gnutls_dh_params_generate2(3):
>>
>>  It is recommended not to set the number of bits directly, but
>>  use gnutls_sec_param_to_pk_bits() instead.
>>
>> Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
>> bits corresponds to parameter MEDIUM. Therefore, we want to chose
>> the next size (HIGH) to be future proof.
> 
> IMO this patch should use MEDIUM and the bump should be separate.

Good point, let me merge this with MEDIUM and post switch to HIGH in a
separate patch.

Michal




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux