[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-API] [PATCH] Increase SSL private key from 512 to 1024 bits


  • To: xen-api@xxxxxxxxxxxxxxxxxxx
  • From: Ben Pfaff <blp@xxxxxxxxxx>
  • Date: Fri, 18 Jun 2010 11:47:35 -0700
  • Delivery-date: Fri, 18 Jun 2010 11:47:57 -0700
  • List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>

# HG changeset patch
# User Ben Pfaff <blp@xxxxxxxxxx>
# Date 1276886800 25200
# Node ID 1cb91e8f0b3fbca60d392a5108ecb3ba63e1ed62
# Parent  2fa5560e38434b07089e04e2542ea50c00586864
Increase SSL private key from 512 to 1024 bits.

At Nicira, we are experimenting with the idea of converting XAPI
SSL keys to SSH keys.  In some cases this might be convenient for
giving XenServers access to remote resources without distributing
a second set of keys.

OpenSSH, however, refuses to accept RSA keys shorter than 768 bits
for use in authentication.  So this change is necessary, to make
XAPI generate keys longer than the current default of 512 bits.

Additionally, RSA says "512-bit keys no longer provide sufficient
security for anything more than very short-term security needs"
(http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems
like a good idea in any case.

Increasing the key length makes generating the key at installation
time take a bit longer, but the difference is not significant:
on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl
genrsa 1024" takes about 100 ms.

Signed-off-by: Ben Pfaff <blp@xxxxxxxxxx>

diff -r 2fa5560e3843 -r 1cb91e8f0b3f scripts/generate_ssl_cert
--- a/scripts/generate_ssl_cert Thu Jun 17 17:31:00 2010 +0100
+++ b/scripts/generate_ssl_cert Fri Jun 18 11:46:40 2010 -0700
@@ -33,7 +33,7 @@
 CN = ${CN}
 @eof
 
-openssl genrsa > privkey.rsa
+openssl genrsa 1024 > privkey.rsa
 openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config config -out 
cert.csr
 openssl dhparam 512 > dh.pem
 

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.