[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits

  • To: 'Ben Pfaff' <blp@xxxxxxxxxx>, "xen-api@xxxxxxxxxxxxxxxxxxx" <xen-api@xxxxxxxxxxxxxxxxxxx>
  • From: Dave Scott <Dave.Scott@xxxxxxxxxxxxx>
  • Date: Mon, 21 Jun 2010 17:32:55 +0100
  • Accept-language: en-US
  • Acceptlanguage: en-US
  • Cc:
  • Delivery-date: Mon, 21 Jun 2010 09:33:07 -0700
  • List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
  • Thread-index: AcsPFsK0XGBsnrosRWqd9CIe7phLKwCSDyrw
  • Thread-topic: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits
Hi,

Thanks for this-- patch pushed.

Cheers,
Dave

> -----Original Message-----
> From: xen-api-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-api-
> bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ben Pfaff
> Sent: 18 June 2010 18:48
> To: xen-api@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024
> bits
> 
> # HG changeset patch
> # User Ben Pfaff <blp@xxxxxxxxxx>
> # Date 1276886800 25200
> # Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62
> # Parent  2fa5560e38434b07089e04e2542ea50c00586864
> Increase SSL private key from 512 to 1024 bits.
> 
> At Nicira, we are experimenting with the idea of converting XAPI
> SSL keys to SSH keys.  In some cases this might be convenient for
> giving XenServers access to remote resources without distributing
> a second set of keys.
> 
> OpenSSH, however, refuses to accept RSA keys shorter than 768 bits
> for use in authentication.  So this change is necessary, to make
> XAPI generate keys longer than the current default of 512 bits.
> 
> Additionally, RSA says "512-bit keys no longer provide sufficient
> security for anything more than very short-term security needs"
> (http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems
> like a good idea in any case.
> 
> Increasing the key length makes generating the key at installation
> time take a bit longer, but the difference is not significant:
> on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl
> genrsa 1024" takes about 100 ms.
> 
> Signed-off-by: Ben Pfaff <blp@xxxxxxxxxx>
> 
> diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert
> --- a/scripts/generate_ssl_cert       Thu Jun 17 17:31:00 2010 +0100
> +++ b/scripts/generate_ssl_cert       Fri Jun 18 11:46:40 2010 -0700
> @@ -33,7 +33,7 @@
>  CN = ${CN}
>  @eof
> 
> -openssl genrsa > privkey.rsa
> +openssl genrsa 1024 > privkey.rsa
>  openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config
> config -out cert.csr
>  openssl dhparam 512 > dh.pem
> 
> 
> _______________________________________________
> xen-api mailing list
> xen-api@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/mailman/listinfo/xen-api

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.