From: Jeremy Harris Date: Wed, 28 Nov 2018 19:45:24 +0000 (+0000) Subject: TLS: Increase RSA keysize of autogen selfsign cert X-Git-Tag: exim-4.92-RC1~15 X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=6aac3239b4ce9638c2c5647684dc4ff2a6afbb42;hp=f94aac30115bc94f2a1c8e3536ad7d40e7e4f302 TLS: Increase RSA keysize of autogen selfsign cert --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f575a10e1..1bf611011 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -155,6 +155,11 @@ JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the $authenticated_fail_id variable on authentication failure. Previously it was unset. +JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048. RHEL 8.0 + OpenSSL didn't want to use such a weak key. Do for GnuTLS also, and for + more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to + GNUTLS_SEC_PARAM_MEDIUM. + Exim version 4.91 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 3e7e8f932..25fe2f406 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -787,9 +787,9 @@ if ((rc = gnutls_x509_crt_init(&cert))) goto err; where = US"generating pkey"; if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA, #ifdef SUPPORT_PARAM_TO_PK_BITS - gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW), + gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM), #else - 1024, + 2048, #endif 0))) goto err; diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 3299c2046..cd11f65df 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1174,7 +1174,7 @@ if (!(x509 = X509_new())) goto err; where = US"generating pkey"; -if (!(rsa = rsa_callback(NULL, 0, 1024))) +if (!(rsa = rsa_callback(NULL, 0, 2048))) goto err; where = US"assigning pkey";