[openssl-dev] [openssl.org #3854] openssl.cnf in openssl-1.0.1m still uses default_bits=1024

kolAflash@kolahilft.de via RT rt at openssl.org
Thu May 21 07:33:22 UTC 2015 

Hi!

I just read about the Logjam attack to Diffie-Hellman.

https://weakdh.org/imperfect-forward-secrecy.pdf
| We provide new estimates for the computational resources necessary
| to compute discrete logarithms in groups of these sizes, concluding
| that 768-bit groups are within range of academic teams, and
| 1024-bit groups may plausibly be within range of state-level
| attackers.

(in German)
http://www.heise.de/newsticker/meldung/Logjam-Attacke-Verschluesselung-von-zehntausenden-Servern-gefaehrdet-2657502.html

openssl-1.0.1m still comes with
  default_bits		= 1024
in apps/openssl.cnf (in the source tar-archive).

Looks like openssl-1.0.2a has been upgraded to at least 2048.


Did you consider to raising openssl-1.0.1m up to 1024 bits too?


Additionally I found some more places with less than 2048 in the 
openssl-1.0.1m source tar-archive. But I'm not sure if those values may not be 
relevant or just for testing purposes:

./test/P2ss.cnf:10:default_bits         = 1024
./test/CAtsa.cnf:54:default_bits                = 1024
./test/P1ss.cnf:10:default_bits         = 1024
./test/test.cnf:59:default_bits         = 1024
./apps/openssl-vms.cnf:106:default_bits         = 1024
./apps/openssl.cnf:106:default_bits             = 1024
./crypto/conf/ssleay.cnf:15:default_bits        = 512
./crypto/conf/ssleay.cnf:19:default_bits        = 512
./crypto/conf/ssleay.cnf:51:default_bits                = 512
./doc/apps/req.pod:534: default_bits            = 1024
./doc/apps/req.pod:575: default_bits            = 1024
./doc/ssleay.txt:6935:default_bits      = 512           # default number of 
bits to use.


openssl-1.0.2a.tar.gz looks similar:

./test/P2ss.cnf:10:default_bits         = 1024
./test/CAtsa.cnf:54:default_bits                = 1024
./test/P1ss.cnf:10:default_bits         = 1024
./test/test.cnf:59:default_bits         = 1024
./crypto/conf/ssleay.cnf:15:default_bits        = 512
./crypto/conf/ssleay.cnf:19:default_bits        = 512
./crypto/conf/ssleay.cnf:51:default_bits                = 512
./doc/apps/req.pod:534: default_bits            = 1024
./doc/apps/req.pod:575: default_bits            = 1024
./doc/ssleay.txt:6935:default_bits      = 512           # default number of 
bits to use.



Kind regards,

kolAflash



-- 
E-Mail: kolAflash at kolahilft.de
PGP key: 0xD83C3408
http://misc.kolahilft.de/pgp/kolAflash_0xD83C3408.asc
https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://de.wikipedia.org/wiki/OpenPGP
Chat via Jabber/XMPP: kolAflash at jabber.ccc.de
https://en.wikipedia.org/wiki/XMPP
https://de.wikipedia.org/wiki/XMPP

More information about the openssl-dev mailing list