[Pkg-openssl-devel] Bug#742145: openssl: uses only 32 bytes (256 bit) for key generation

Joey Hess joeyh at debian.org
Wed Mar 19 21:33:44 UTC 2014


Thorsten Glaser wrote:
> Florian Weimer dixit:
> >Historically, the OpenSSL command line tools have been intended for
> >debugging only.
> 
> I disagree, in the case of genrsa and friends anyway.

Me too, and openssl(1ssl) does not mention debugging or not for
production use or give any warnings. Also, openssl genpkey seems
to have the same problem for RSA keys, and so does openssl dsaparam for
DSA keys.

Google has 96k hits for "openssl genrsa". The very second hit is a HOWTO
generate RSA key located on .... openssl.org! (The same file is shipped
as /usr/share/doc/openssl/HOWTO/keys.txt in Debian.)

Also, /usr/sbin/make-ssl-cert uses openssl req, and strace shows it
also reading only 32 bytes bits of entropy.

ENTROPY_NEEDED is hardcoded to 32.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20140319/9d8a9131/attachment-0001.sig>


More information about the Pkg-openssl-devel mailing list