Re: [PATCH] gnutls DH prime minimum for wheezy, plus question about openssl

To: Thorsten Glaser <t.glaser@tarent.de>
Cc: debian-security@lists.debian.org, Nikos Mavrogiannopoulos <nmav@redhat.com>
Subject: Re: [PATCH] gnutls DH prime minimum for wheezy, plus question about openssl
From: Kurt Roeckx <kurt@roeckx.be>
Date: Fri, 5 Jun 2015 18:59:33 +0200
Message-id: <[🔎] 20150605165933.GA25084@roeckx.be>
In-reply-to: <[🔎] alpine.DEB.2.20.1506051350060.19769@tglase.lan.tarent.de>
References: <[🔎] alpine.DEB.2.20.1506051350060.19769@tglase.lan.tarent.de>

On Fri, Jun 05, 2015 at 01:56:18PM +0200, Thorsten Glaser wrote:
> 
> OpenSSL upstream is said (citation needed) to wish to require a
> 1024 bit minimum in some later version but require 768 bits now.

http://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

> I cannot find this in either upstream's 1.0.2a release or the one
> currently in sid.

It should end up in all suites in Debian soon.

> I did find it as commit 10a70da729948bb573d27cef4459077c49f3eb46
> in upstream's git, except the error path needs to set al too AFAICS.

I'm not sure what you mean.  The ssl3_check_cert_and_algorithm()
function doens't have an "al" variable, it always sends the
SSL_AD_HANDSHAKE_FAILURE alert.


Kurt

Reply to:

References:
- [PATCH] gnutls DH prime minimum for wheezy, plus question about openssl
  - From: Thorsten Glaser <t.glaser@tarent.de>

Prev by Date: [PATCH] openssl DH prime minimum for wheezy
Next by Date: Re: Upcoming stable point release (8.1)
Previous by thread: [PATCH] gnutls DH prime minimum for wheezy, plus question about openssl
Next by thread: [PATCH] openssl DH prime minimum for wheezy
Index(es):
- Date
- Thread