Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-15-2014, 07:37 PM
|
#1
|
Member
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware, Debian, Gentoo, FreeBSD, OpenBSD
Posts: 208
Rep:
|
openssl update: default key length reduced to 1024
The openssl update today (Oct 15) has changed the openssl.cnf file:
Code:
--- openssl.cnf 2014-08-29 22:14:23.386912705 +0800
+++ openssl.cnf.new 2014-10-16 01:21:04.000000000 +0800
@@ -103,8 +103,7 @@
####################################################################
[ req ]
-#default_bits = 1024
-default_bits = 2048
+default_bits = 1024
I'm hesitant to do this, I want longer keys. I did read the security fix and this is not mentioned specifically, but I suspect it may be related to the buffer overflow or miscrafted packets fixes.
What are the implications of keeping my default key length at 2048 bits?
|
|
|
10-16-2014, 12:01 AM
|
#3
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,262
|
(I can be wrong as I just woke up, but) that setting in openssl.cnf is the default as provided by upstream, and it hasn't changed with the last update.
maybe you should refer to the openssl fellas for some safer defaults: here, I got the habit to specify 4096 bits (on the command line or using gnomint) for my self-generated ssl keys...
Last edited by ponce; 10-16-2014 at 01:51 AM.
Reason: additions
|
|
1 members found this post helpful.
|
10-16-2014, 12:08 AM
|
#4
|
Moderator
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,295
|
**** UPDATE: This is now covered much better in another LQ thread, here.
Could the OP's concern be related to this? (Link removed, see above thread)
Twilio is advising...
Quote:
We are urging all customers to disable SSLv3 on hosts interacting with the Twilio service as soon as possible and upgrade to use Transport Layer Service (TLS).
Owing to many clients and servers with which Twilio interacts currently do not support TLS, we have not immediately turned off SSLv3, but are providing a mitigation path for SSLv3 as defined below.
|
I just saw this in my email and have not investigated yet.
Last edited by astrogeek; 10-16-2014 at 01:44 AM.
|
|
|
10-16-2014, 03:44 AM
|
#5
|
Senior Member
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
|
Quote:
Originally Posted by astrogeek
**** UPDATE: This is now covered much better in another LQ thread, here.
|
I don't believe this non-sane default (1024bit keys) and that vulnerability (POODLE) have anything to do with each other.
|
|
|
10-16-2014, 03:57 AM
|
#6
|
LQ Veteran
Registered: May 2008
Posts: 7,007
|
Quote:
Originally Posted by sag47
1024 bits is not considered a high enough bit depth to be secure. Several certificate authorities mandate a minimum of 2048-bits. I am highly disturbed by this change.
|
It's not a change, so no need to be disturbed. Mine, which is unmodified, is already set that way prior to the Oct 15th update. If padeen's is set to 2048, then it is because he, or someone else responsible for that system has changed it at some point in the past.
Whether 1024 is a wise default to start with is another matter of course, but don't think that its been downgraded by this latest update, because it hasn't.
|
|
2 members found this post helpful.
|
10-16-2014, 04:05 AM
|
#7
|
Senior Member
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
|
Quote:
Originally Posted by GazL
Whether 1024 is a wise default to start with is another matter of course, but don't think that its been downgraded by this latest update, because it hasn't.
|
Ah fair enough, I didn't really look into the change much. Thanks for the update.
|
|
|
10-16-2014, 06:14 AM
|
#8
|
Member
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware, Debian, Gentoo, FreeBSD, OpenBSD
Posts: 208
Original Poster
Rep:
|
GazL is right, I did change this when I was generating some self-signed certs. Normally I make a comment and date when I change system defaults, I must have forgotten.
Sorry for the noise, although it may prompt anyone reading whether they want to keep the default or change it.
|
|
1 members found this post helpful.
|
10-16-2014, 09:30 AM
|
#9
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
|
Quote:
Originally Posted by padeen
The openssl update today (Oct 15) has changed the openssl.cnf file:
Code:
--- openssl.cnf 2014-08-29 22:14:23.386912705 +0800
+++ openssl.cnf.new 2014-10-16 01:21:04.000000000 +0800
@@ -103,8 +103,7 @@
####################################################################
[ req ]
-#default_bits = 1024
-default_bits = 2048
+default_bits = 1024
I'm hesitant to do this, I want longer keys. I did read the security fix and this is not mentioned specifically, but I suspect it may be related to the buffer overflow or miscrafted packets fixes.
What are the implications of keeping my default key length at 2048 bits?
|
After today's update, I checked openssl.cnf on my public server, and I have the same thing:
Code:
default_bits = 1024
Should I 1. be worried ? 2. Leave that value as is ? 3. Change it ?
|
|
|
10-16-2014, 10:54 AM
|
#10
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,262
|
Quote:
Originally Posted by kikinovak
After today's update, I checked openssl.cnf on my public server, and I have the same thing:
Code:
default_bits = 1024
Should I 1. be worried ? 2. Leave that value as is ? 3. Change it ?
|
1. no.
2. it won't hurt.
3. if you like.
that value means that when you will generate openssl keys (for a ssl certificate) it will use that as the default number of bits for the key, but you can specify that number also at generation time: like I wrote above, I usually do that, and it's the common practice.
Last edited by ponce; 10-16-2014 at 10:56 AM.
|
|
2 members found this post helpful.
|
10-16-2014, 11:22 AM
|
#11
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
|
Quote:
Originally Posted by ponce
1. no.
2. it won't hurt.
3. if you like.
that value means that when you will generate openssl keys (for a ssl certificate) it will use that as the default number of bits for the key, but you can specify that number also at generation time: like I wrote above, I usually do that, and it's the common practice.
|
Thanks very much !
|
|
|
All times are GMT -5. The time now is 03:30 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|