Re: [exim] 8192 length SSL keys
On Mon, Apr 12, 2021 at 10:53:46PM +0100, Jeremy Harris via Exim-users wrote: > On 12/04/2021 21:39, The Doctor via Exim-users wrote: > > Does Exim support 8192 bit SSL keys? > > Nothing works until it's been tried, and I've not > personally tested 8k (or even 4k) keys in certs. > The regression tests use 2k key for RSA > and (it looks like) a nistp521 key for EC. > > I can't comment on other EC variants, but apart > from buffer sizes I'd expect the only limitations > to be in the crypto library in use. > > > I agree with Viktor, use EC. Until we hit > the cryptapocalypse they are much preferred. > > Ed25519 works for DKIM keys, though you need > to worry whether the MTAs you talk to also > support them. You can dual-sign with an RSA > and an EC key. > The tests use 512b (I know; deprecated...) and 1k > keys for DKIM/RSA, and Ed25519 for DKIM/EC. 4K keys do work! > -- > Cheers, >Jeremy > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b A consequence-free mentality brings the most severe consequences. -unknown -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 8192 length SSL keys
On 12/04/2021 21:39, The Doctor via Exim-users wrote: Does Exim support 8192 bit SSL keys? Nothing works until it's been tried, and I've not personally tested 8k (or even 4k) keys in certs. The regression tests use 2k key for RSA and (it looks like) a nistp521 key for EC. I can't comment on other EC variants, but apart from buffer sizes I'd expect the only limitations to be in the crypto library in use. I agree with Viktor, use EC. Until we hit the cryptapocalypse they are much preferred. Ed25519 works for DKIM keys, though you need to worry whether the MTAs you talk to also support them. You can dual-sign with an RSA and an EC key. The tests use 512b (I know; deprecated...) and 1k keys for DKIM/RSA, and Ed25519 for DKIM/EC. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 8192 length SSL keys
On Mon, Apr 12, 2021 at 02:39:41PM -0600, The Doctor via Exim-users wrote: > Does Exim support 8192 bit SSL keys? Even 4096-bit RSA keys are noticeably slow/bulky, none of the public CAs are using anything stronger than 4096-bit RSA keys and most are using 2048. Why on earth would you want 8192 bits? If you actually want practical strong keys, use ECDSA P256, Ed25519 or Ed449. > IF so why is Thunderbird choking? Wrong question IMHO, don't use 8192 bit RSA, it is not a good idea. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] 8192 length SSL keys
Does Exim support 8192 bit SSL keys? IF so why is Thunderbird choking? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b If they can dehumanize the most innocent, they can dehumanize anyone. -unknown -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Hi Andreas, the problem isn't caused by the new allow_insecure_tainted_data, but these warnings trigger the issue. We're in progress fixing it. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/