Query minimum RSA key size?
Felipe Gasper
felipe at felipegasper.com
Mon Sep 26 14:46:40 UTC 2022
> On Sep 26, 2022, at 10:01, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>
> On Mon, Sep 26, 2022 at 09:52:29AM -0400, Felipe Gasper wrote:
>
>> OpenSSL 1.1.0k introduced behaviour that rejects 1,024-bit RSA key sizes.
>
> No such change was made. Perhaps your OS distribution has bumped the
> default (TLS) security level from 1 (80-bit or more) to 2 (~112 bit or
> more). You can look in the system-wide openssl.cnf file.
>
>> Is the new minimum key size queryable? It appears to be 2,048, but in
>> the event that that changes again I’d ideally love just to grab that
>> value from OpenSSL itself rather than hard-coding it.
>
> The security levels are documented. You can set the security level
> in the cipher string:
>
> DEFAULT:@SECLEVEL=1
>
> or via the API.
Ahh, OK. Indeed, when I set that as the cipher string the error goes away. Thank you!
I see that the API exposes SSL_CTX_get_security_level(); is that the best way to determine minimum RSA key size, or would there be anything more explicit?
cheers,
-Felipe
More information about the openssl-users
mailing list