This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits

To: xen-api@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits
From: Ben Pfaff <blp@xxxxxxxxxx>
Date: Fri, 18 Jun 2010 11:47:35 -0700
Delivery-date: Fri, 18 Jun 2010 11:47:57 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Ben Pfaff <blp@xxxxxxxxxx>
# Date 1276886800 25200
# Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62
# Parent  2fa5560e38434b07089e04e2542ea50c00586864
Increase SSL private key from 512 to 1024 bits.

At Nicira, we are experimenting with the idea of converting XAPI
SSL keys to SSH keys.  In some cases this might be convenient for
giving XenServers access to remote resources without distributing
a second set of keys.

OpenSSH, however, refuses to accept RSA keys shorter than 768 bits
for use in authentication.  So this change is necessary, to make
XAPI generate keys longer than the current default of 512 bits.

Additionally, RSA says "512-bit keys no longer provide sufficient
security for anything more than very short-term security needs"
(http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems
like a good idea in any case.

Increasing the key length makes generating the key at installation
time take a bit longer, but the difference is not significant:
on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl
genrsa 1024" takes about 100 ms.

Signed-off-by: Ben Pfaff <blp@xxxxxxxxxx>

diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert
--- a/scripts/generate_ssl_cert Thu Jun 17 17:31:00 2010 +0100
+++ b/scripts/generate_ssl_cert Fri Jun 18 11:46:40 2010 -0700
@@ -33,7 +33,7 @@
 CN = ${CN}
-openssl genrsa > privkey.rsa
+openssl genrsa 1024 > privkey.rsa
 openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config config -out 
 openssl dhparam 512 > dh.pem

xen-api mailing list

<Prev in Thread] Current Thread [Next in Thread>