Re: key size 384 gives problem on server

Thu, 22 Mar 2001 11:37:45 -0800 

384 bits is too small to be secure, and too small to hold the encrypted
pre-master secret + PKCS#1 padding. The browser should really refuse to make
such a connection anyway. I wouldn't be surprised if you just bumbled onto a
bug in Netscape.

use 1024-bit or larger moduli.

_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________



----- Original Message -----
From: "Pradeep Kamath" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 22, 2001 11:40 AM
Subject: key size 384 gives problem on server


> Hello ,
>    Iam using "openssl req" command to generate a
> private key and certificate request for a
> pache-nod_ssl server. Here I have to specify the
> keysize in bits...if a keysize less than 384 is given
> openssl reports that the size should atleast be 384.
> If a size of 384 is given the key and certificate
> request are successfully generated..a certificate can
> also be got using this certificate request.
> But when this certificate and 384 bit key are used on
> a server,a browser trying to connect to this secure
> apache server is not able to connect...Netscape
> browser reports "an I/O error occured during security
> authorization"
>
> A part of the apache error_log is as follows:
>
> OpenSSL: error:1408B076:SSLroutines:SSL3_GET
> _CLIENT_KEY_EXCHANGE:bad rsa decrypt
> OpenSSL: error:04065072:rsaroutines:RSA_EAY_
> PRIVATE_DECRYPT:padding check failed
>
> Can anybody suggest what is wrong?
>
> TIA,
> Pradeep
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to