> From: owner-openssl-...@openssl.org On Behalf Of Kurt Roeckx via RT > Sent: Saturday, 31 August, 2013 12:54
> It seems that s_server by default use 512 bit for the DHE if it's > not specified, and s_client just accepts that. > > Is there a way to set a minimum size? I think think 512 really > is too short and shouldn't be accepted by any client. I think > we should have a minimum of 1024. OpenSSL deliberately continues to support (mostly older) features like SSL2 and export suites that are known weak or vulnerable (at least sometimes) for interoperability. It might be reasonable to have an *optional* minimum, similar to the way we can optionally limit verify depth. OTOH at least for now sess->sess_cert->peer_dh_tmp is exposed and the app can just decide to abort the session. Same as it can for RSA or DSA too short, or MD5 certs, or if you're more ambitious things like RSA that appears to be a Debian broken-random weak key. I think a best-practice default of 1024 for s_server would be better (it uses p-256 for ecdh_tmp which is good), but at least it is test code and has an option for better. Java (or rather JSSE) server uses 768 and can't be fixed :-( ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
