Thanks for your reply! Ok, this is an understandable reason.
But I still think this is an issue because the error message (''keys do not
match'') is very misleading and does not point to the actual problem - the
intentionally limitation. There should be an error message which describes that
this is an internationally limitation and that the limitation can be changed
with the compiler switch/constant you described.
Also I wonder, why did OpenSSL create the key and the csr (successfully?) if
there is a limitation?
Daniel
Stephen Henson via RT r...@openssl.org schrieb:
[daniel-marsch...@viathinksoft.de - Wed Sep 12 14:14:40 2012]:
Hello, I found out that the rsa keysize is limited.
Here is my script: http://www.viathinksoft.de/~daniel-
marschall/asn.1/rsa-keysize-check/openssl_rsa32768_bug/
I cannot create a 32768 bits certificate which I want to create as
test certificate to find limits in the implementations of x509
parsers.
This is intentional as excessively large key sizes can be used in DoS
attacks.
If you compile openssl with -DOPENSSL_RSA_MAX_MODULUS_BITS=number you
can specify an alternative value to the default which is 16384 bits.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Thanks for your reply! Ok, this is an understandable reason.
But I still think this is an issue because the error message (keys do not match) is very misleading and does not point to the actual problem - the intentionally limitation. There should be an error message which describes that this is an internationally limitation and that the limitation can be changed with the compiler switch/constant you described.
Also I wonder, why did OpenSSL create the key and the csr (successfully?) if there is a limitation?
Daniel
Stephen Henson via RT r...@openssl.org schrieb:
[daniel-marsch...@viathinksoft.de - Wed Sep 12 14:14:40 2012]:Hello, I found out that the rsa keysize is limited.Here is my script: http://www.viathinksoft.de/~daniel-marschall/asn.1/rsa-keysize-check/openssl_rsa32768_bug/I cannot create a 32768 bits certificate which I want to create astest certificate to find limits in the implementations of x509parsers.This is intentional as excessively large key sizes can be used in DoSattacks.If you compile openssl with -DOPENSSL_RSA_MAX_MODULUS_BITS=number youcan specify an alternative value to the default which is 16384 bits.Steve.