Viktor Dukhovni wrote in <yqjsazq++7ftu...@straasha.imrryr.org>: |On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote: |> On 13/6/2022 4:31 pm, Wietse Venema wrote: ... |Two comments on your server setup: | | * The server certificate is 4096 bit RSA. This is needlessly turgid.
The FreeBSD handbook recommendet 4096 RSA keys about twenty years ago, stating that likely would be secure until 2030, and most FreeBSD developers had such keys by then. This was PGP, but the path was set for me. | The issuing CA is 2048 bits, there is little to gain from a | stronger EE key. Some peer libraries may not support keys of this | size. I also do this :( The one is mine, the other is theirs. And they are signed by a 4096 bit thing themselves. Now that you said that i was looking, the dehydrated ACME client (letsencrypt.sh by then) has 4096 bits default since 2016. FreeBSD seems to use RFC 5480 (Elliptic Curve Cryptography Subject Public Key Information) id-ecPublicKey, curve P-256, prime256v1. (As a crypto dummy you look "stupid out of the laundry" to 1:1 the German "Doof aus der Wäsche gucken".) For their HTTP at least; i would not have dared this. OpenBSD uses a 4096-bit key onto them, too. | * The "Let's Encrypt CA" chain is configured for compatibility with | legacy Android systems that trust the expired "DST" root CA: | | subject=CN = prometheus.mindmedia.com.sg | issuer=C = US, O = Let's Encrypt, CN = R3 | | subject=C = US, O = Let's Encrypt, CN = R3 | issuer=C = US, O = Internet Security Research Group, CN = ISRG \ | Root X1 | | subject=C = US, O = Internet Security Research Group, CN = \ | ISRG Root X1 | issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 | | You may have better luck by configuring "certbot" or similar to | build a chain that avoids the ISRG -> DST cross cert. Interesting; all of OpenBSD, FreeBSD and i have this one in the chain, too. (I struggled sending this .. i am too loud.) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
