Xen project Mailing List

Re: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits

From: Magnus Therning <magnus.therning@xxxxxxxxxxxxx>

Date: Mon, 21 Jun 2010 14:16:53 +0100

Cc: "xen-api@xxxxxxxxxxxxxxxxxxx" <xen-api@xxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 21 Jun 2010 06:21:07 -0700

List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>

On 18/06/10 19:47, Ben Pfaff wrote: > # HG changeset patch > # User Ben Pfaff <blp@xxxxxxxxxx> > # Date 1276886800 25200 > # Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62 > # Parent 2fa5560e38434b07089e04e2542ea50c00586864 > Increase SSL private key from 512 to 1024 bits. > > At Nicira, we are experimenting with the idea of converting XAPI > SSL keys to SSH keys. In some cases this might be convenient for > giving XenServers access to remote resources without distributing > a second set of keys. > > OpenSSH, however, refuses to accept RSA keys shorter than 768 bits > for use in authentication. So this change is necessary, to make > XAPI generate keys longer than the current default of 512 bits. > > Additionally, RSA says "512-bit keys no longer provide sufficient > security for anything more than very short-term security needs" > (http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems > like a good idea in any case. > > Increasing the key length makes generating the key at installation > time take a bit longer, but the difference is not significant: > on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl > genrsa 1024" takes about 100 ms. > > Signed-off-by: Ben Pfaff <blp@xxxxxxxxxx> > > diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert > --- a/scripts/generate_ssl_cert Thu Jun 17 17:31:00 2010 +0100 > +++ b/scripts/generate_ssl_cert Fri Jun 18 11:46:40 2010 -0700 > @@ -33,7 +33,7 @@ > CN = ${CN} > @eof > > -openssl genrsa > privkey.rsa > +openssl genrsa 1024 > privkey.rsa > openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config config > -out cert.csr > openssl dhparam 512 > dh.pem This change looks perfectly fine to me. Cheers, M -- Magnus Therning magnus.therning@xxxxxxxxxxxxx Jabber: magnusth@eng There does not now, nor will there ever, exist a programming language in which it is the least bit hard to write bad programs. -- Flon's Axiom _______________________________________________ xen-api mailing list xen-api@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/mailman/listinfo/xen-api

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.