WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

RE: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits

To: 'Ben Pfaff' <blp@xxxxxxxxxx>, "xen-api@xxxxxxxxxxxxxxxxxxx" <xen-api@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits
From: Dave Scott <Dave.Scott@xxxxxxxxxxxxx>
Date: Mon, 21 Jun 2010 17:32:55 +0100
Accept-language: en-US
Acceptlanguage: en-US
Cc:
Delivery-date: Mon, 21 Jun 2010 09:33:07 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1cb91e8f0b3fbca60d39.1276886855@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <1cb91e8f0b3fbca60d39.1276886855@xxxxxxxxxxxxxxxxxxx>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcsPFsK0XGBsnrosRWqd9CIe7phLKwCSDyrw
Thread-topic: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits
Hi,

Thanks for this-- patch pushed.

Cheers,
Dave

> -----Original Message-----
> From: xen-api-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-api-
> bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ben Pfaff
> Sent: 18 June 2010 18:48
> To: xen-api@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-API] [PATCH] Increase SSL private key from 512 to 1024
> bits
> 
> # HG changeset patch
> # User Ben Pfaff <blp@xxxxxxxxxx>
> # Date 1276886800 25200
> # Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62
> # Parent  2fa5560e38434b07089e04e2542ea50c00586864
> Increase SSL private key from 512 to 1024 bits.
> 
> At Nicira, we are experimenting with the idea of converting XAPI
> SSL keys to SSH keys.  In some cases this might be convenient for
> giving XenServers access to remote resources without distributing
> a second set of keys.
> 
> OpenSSH, however, refuses to accept RSA keys shorter than 768 bits
> for use in authentication.  So this change is necessary, to make
> XAPI generate keys longer than the current default of 512 bits.
> 
> Additionally, RSA says "512-bit keys no longer provide sufficient
> security for anything more than very short-term security needs"
> (http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems
> like a good idea in any case.
> 
> Increasing the key length makes generating the key at installation
> time take a bit longer, but the difference is not significant:
> on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl
> genrsa 1024" takes about 100 ms.
> 
> Signed-off-by: Ben Pfaff <blp@xxxxxxxxxx>
> 
> diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert
> --- a/scripts/generate_ssl_cert       Thu Jun 17 17:31:00 2010 +0100
> +++ b/scripts/generate_ssl_cert       Fri Jun 18 11:46:40 2010 -0700
> @@ -33,7 +33,7 @@
>  CN = ${CN}
>  @eof
> 
> -openssl genrsa > privkey.rsa
> +openssl genrsa 1024 > privkey.rsa
>  openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config
> config -out cert.csr
>  openssl dhparam 512 > dh.pem
> 
> 
> _______________________________________________
> xen-api mailing list
> xen-api@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/mailman/listinfo/xen-api

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

<Prev in Thread] Current Thread [Next in Thread>