Query minimum RSA key size?

Felipe Gasper felipe at felipegasper.com
Mon Sep 26 14:46:40 UTC 2022


> On Sep 26, 2022, at 10:01, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> 
> On Mon, Sep 26, 2022 at 09:52:29AM -0400, Felipe Gasper wrote:
> 
>> OpenSSL 1.1.0k introduced behaviour that rejects 1,024-bit RSA key sizes.
> 
> No such change was made.  Perhaps your OS distribution has bumped the
> default (TLS) security level from 1 (80-bit or more) to 2 (~112 bit or
> more).  You can look in the system-wide openssl.cnf file.
> 
>> Is the new minimum key size queryable? It appears to be 2,048, but in
>> the event that that changes again I’d ideally love just to grab that
>> value from OpenSSL itself rather than hard-coding it.
> 
> The security levels are documented.  You can set the security level
> in the cipher string:
> 
>    DEFAULT:@SECLEVEL=1
> 
> or via the API.

Ahh, OK. Indeed, when I set that as the cipher string the error goes away. Thank you!

I see that the API exposes SSL_CTX_get_security_level(); is that the best way to determine minimum RSA key size, or would there be anything more explicit?

cheers,
-Felipe


More information about the openssl-users mailing list