RE: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits

Mon, 21 Jun 2010 09:33:06 -0700 

Hi,

Thanks for this-- patch pushed.

Cheers,
Dave

> -----Original Message-----
> From: [email protected] [mailto:xen-api-
> [email protected]] On Behalf Of Ben Pfaff
> Sent: 18 June 2010 18:48
> To: [email protected]
> Subject: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024
> bits
> 
> # HG changeset patch
> # User Ben Pfaff <[email protected]>
> # Date 1276886800 25200
> # Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62
> # Parent  2fa5560e38434b07089e04e2542ea50c00586864
> Increase SSL private key from 512 to 1024 bits.
> 
> At Nicira, we are experimenting with the idea of converting XAPI
> SSL keys to SSH keys.  In some cases this might be convenient for
> giving XenServers access to remote resources without distributing
> a second set of keys.
> 
> OpenSSH, however, refuses to accept RSA keys shorter than 768 bits
> for use in authentication.  So this change is necessary, to make
> XAPI generate keys longer than the current default of 512 bits.
> 
> Additionally, RSA says "512-bit keys no longer provide sufficient
> security for anything more than very short-term security needs"
> (http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems
> like a good idea in any case.
> 
> Increasing the key length makes generating the key at installation
> time take a bit longer, but the difference is not significant:
> on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl
> genrsa 1024" takes about 100 ms.
> 
> Signed-off-by: Ben Pfaff <[email protected]>
> 
> diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert
> --- a/scripts/generate_ssl_cert       Thu Jun 17 17:31:00 2010 +0100
> +++ b/scripts/generate_ssl_cert       Fri Jun 18 11:46:40 2010 -0700
> @@ -33,7 +33,7 @@
>  CN = ${CN}
>  @eof
> 
> -openssl genrsa > privkey.rsa
> +openssl genrsa 1024 > privkey.rsa
>  openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config
> config -out cert.csr
>  openssl dhparam 512 > dh.pem
> 
> 
> _______________________________________________
> xen-api mailing list
> [email protected]
> http://lists.xensource.com/mailman/listinfo/xen-api

_______________________________________________
xen-api mailing list
[email protected]
http://lists.xensource.com/mailman/listinfo/xen-api

Reply via email to