[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#742145: openssl: uses only 32 bytes (256 bit) for key generation

Thorsten Glaser wrote:
> Florian Weimer dixit:
> >Historically, the OpenSSL command line tools have been intended for
> >debugging only.
> I disagree, in the case of genrsa and friends anyway.

Me too, and openssl(1ssl) does not mention debugging or not for
production use or give any warnings. Also, openssl genpkey seems
to have the same problem for RSA keys, and so does openssl dsaparam for
DSA keys.

Google has 96k hits for "openssl genrsa". The very second hit is a HOWTO
generate RSA key located on .... openssl.org! (The same file is shipped
as /usr/share/doc/openssl/HOWTO/keys.txt in Debian.)

Also, /usr/sbin/make-ssl-cert uses openssl req, and strace shows it
also reading only 32 bytes bits of entropy.

ENTROPY_NEEDED is hardcoded to 32.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: