LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-15-2014, 07:37 PM   #1
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware, Debian, Gentoo, FreeBSD, OpenBSD
Posts: 208

Rep: Reputation: 41
openssl update: default key length reduced to 1024


The openssl update today (Oct 15) has changed the openssl.cnf file:
Code:
--- openssl.cnf 2014-08-29 22:14:23.386912705 +0800
+++ openssl.cnf.new     2014-10-16 01:21:04.000000000 +0800
@@ -103,8 +103,7 @@
 ####################################################################
 [ req ]
-#default_bits          = 1024
-default_bits           = 2048
+default_bits           = 1024
I'm hesitant to do this, I want longer keys. I did read the security fix and this is not mentioned specifically, but I suspect it may be related to the buffer overflow or miscrafted packets fixes.

What are the implications of keeping my default key length at 2048 bits?
 
Old 10-15-2014, 11:27 PM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
1024 bits is not considered a high enough bit depth to be secure. Several certificate authorities mandate a minimum of 2048-bits. I am highly disturbed by this change.

http://www.thawte.com/resources/2048-bit-compliance/
https://blogs.comodo.com/e-commerce/...-dec31st-free/
http://www.symantec.com/page.jsp?id=...-migration-faq

I could link you more but instead simply google "minimum bit certificate". You'll be provided with plenty more examples.
 
Old 10-16-2014, 12:01 AM   #3
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,262

Rep: Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280
(I can be wrong as I just woke up, but) that setting in openssl.cnf is the default as provided by upstream, and it hasn't changed with the last update.

maybe you should refer to the openssl fellas for some safer defaults: here, I got the habit to specify 4096 bits (on the command line or using gnomint) for my self-generated ssl keys...

Last edited by ponce; 10-16-2014 at 01:51 AM. Reason: additions
 
1 members found this post helpful.
Old 10-16-2014, 12:08 AM   #4
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,295
Blog Entries: 24

Rep: Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255
**** UPDATE: This is now covered much better in another LQ thread, here.


Could the OP's concern be related to this? (Link removed, see above thread)

Twilio is advising...
Quote:
We are urging all customers to disable SSLv3 on hosts interacting with the Twilio service as soon as possible and upgrade to use Transport Layer Service (TLS).

Owing to many clients and servers with which Twilio interacts currently do not support TLS, we have not immediately turned off SSLv3, but are providing a mitigation path for SSLv3 as defined below.
I just saw this in my email and have not investigated yet.

Last edited by astrogeek; 10-16-2014 at 01:44 AM.
 
Old 10-16-2014, 03:44 AM   #5
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
Quote:
Originally Posted by astrogeek View Post
**** UPDATE: This is now covered much better in another LQ thread, here.
I don't believe this non-sane default (1024bit keys) and that vulnerability (POODLE) have anything to do with each other.
 
Old 10-16-2014, 03:57 AM   #6
GazL
LQ Veteran
 
Registered: May 2008
Posts: 7,007

Rep: Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137Reputation: 5137
Quote:
Originally Posted by sag47 View Post
1024 bits is not considered a high enough bit depth to be secure. Several certificate authorities mandate a minimum of 2048-bits. I am highly disturbed by this change.
It's not a change, so no need to be disturbed. Mine, which is unmodified, is already set that way prior to the Oct 15th update. If padeen's is set to 2048, then it is because he, or someone else responsible for that system has changed it at some point in the past.

Whether 1024 is a wise default to start with is another matter of course, but don't think that its been downgraded by this latest update, because it hasn't.
 
2 members found this post helpful.
Old 10-16-2014, 04:05 AM   #7
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
Quote:
Originally Posted by GazL View Post
Whether 1024 is a wise default to start with is another matter of course, but don't think that its been downgraded by this latest update, because it hasn't.
Ah fair enough, I didn't really look into the change much. Thanks for the update.
 
Old 10-16-2014, 06:14 AM   #8
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware, Debian, Gentoo, FreeBSD, OpenBSD
Posts: 208

Original Poster
Rep: Reputation: 41
GazL is right, I did change this when I was generating some self-signed certs. Normally I make a comment and date when I change system defaults, I must have forgotten.

Sorry for the noise, although it may prompt anyone reading whether they want to keep the default or change it.
 
1 members found this post helpful.
Old 10-16-2014, 09:30 AM   #9
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by padeen View Post
The openssl update today (Oct 15) has changed the openssl.cnf file:
Code:
--- openssl.cnf 2014-08-29 22:14:23.386912705 +0800
+++ openssl.cnf.new     2014-10-16 01:21:04.000000000 +0800
@@ -103,8 +103,7 @@
 ####################################################################
 [ req ]
-#default_bits          = 1024
-default_bits           = 2048
+default_bits           = 1024
I'm hesitant to do this, I want longer keys. I did read the security fix and this is not mentioned specifically, but I suspect it may be related to the buffer overflow or miscrafted packets fixes.

What are the implications of keeping my default key length at 2048 bits?
After today's update, I checked openssl.cnf on my public server, and I have the same thing:

Code:
default_bits = 1024
Should I 1. be worried ? 2. Leave that value as is ? 3. Change it ?
 
Old 10-16-2014, 10:54 AM   #10
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,262

Rep: Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280Reputation: 4280
Quote:
Originally Posted by kikinovak View Post
After today's update, I checked openssl.cnf on my public server, and I have the same thing:

Code:
default_bits = 1024
Should I 1. be worried ? 2. Leave that value as is ? 3. Change it ?
1. no.
2. it won't hurt.
3. if you like.

that value means that when you will generate openssl keys (for a ssl certificate) it will use that as the default number of bits for the key, but you can specify that number also at generation time: like I wrote above, I usually do that, and it's the common practice.

Last edited by ponce; 10-16-2014 at 10:56 AM.
 
2 members found this post helpful.
Old 10-16-2014, 11:22 AM   #11
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by ponce View Post
1. no.
2. it won't hurt.
3. if you like.

that value means that when you will generate openssl keys (for a ssl certificate) it will use that as the default number of bits for the key, but you can specify that number also at generation time: like I wrote above, I usually do that, and it's the common practice.
Thanks very much !
 
  


Reply

Tags
key length, openssl, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
128 bits key generated when 1024 was generated(centos 6.5)using openssl SarahGurung Linux - Security 3 07-29-2014 07:03 AM
Specified key was too long; max key length is 1000 bytes markings Linux - Server 0 01-03-2014 03:45 AM
OpenSSL, aes.h, AES_cbc_encrypt(): length parameter? Brandon9000 Programming 5 12-06-2012 04:42 PM
Upgrade Encryption Key Length for Globus Communication anazri Linux - General 1 12-19-2007 12:20 AM
Encryption and key length. GUIPenguin General 33 08-31-2006 08:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration