TLS: Increase RSA keysize of autogen selfsign cert

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f575a10e195885a987220a4f249f5747b671aab9..1bf611011117b963f4ae2554725e9b86e203c556 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -155,6 +155,11 @@ JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the
       $authenticated_fail_id variable on authentication failure.  Previously
       it was unset.
 
+JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048.  RHEL 8.0
+      OpenSSL didn't want to use such a weak key.  Do for GnuTLS also, and for
+      more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to
+      GNUTLS_SEC_PARAM_MEDIUM.
+
 
 Exim version 4.91
 -----------------

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 3e7e8f9323fb358bdf30022f01c701ccf4c67215..25fe2f4060bec20adc6921fcb45f0cf9802d4dfd 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -787,9 +787,9 @@ if ((rc = gnutls_x509_crt_init(&cert))) goto err;
 where = US"generating pkey";
 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
 #ifdef SUPPORT_PARAM_TO_PK_BITS
-           gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
+           gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
 #else
-           1024,
+           2048,
 #endif
            0)))
   goto err;

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 3299c2046711f6cd1301465aad0f18ac7107dae7..cd11f65df5d27af7a215f26549dc22e4c5a1da45 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1174,7 +1174,7 @@ if (!(x509 = X509_new()))
   goto err;
 
 where = US"generating pkey";
-if (!(rsa = rsa_callback(NULL, 0, 1024)))
+if (!(rsa = rsa_callback(NULL, 0, 2048)))
   goto err;
 
 where = US"assigning pkey";