[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #27971 [Core Tor/Tor]: Still supports 1024 bit keys

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #27971 [Core Tor/Tor]: Still supports 1024 bit keys
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 10 Oct 2018 17:14:09 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 10 Oct 2018 13:14:19 -0400
In-reply-to: <047.4c73aebb8844d80352d0e8a312bd4220@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.4c73aebb8844d80352d0e8a312bd4220@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#27971: Still supports 1024 bit keys
--------------------------------+------------------------------------
 Reporter:  kroeckx             |          Owner:  nickm
     Type:  defect              |         Status:  assigned
 Priority:  High                |      Milestone:  Tor: 0.3.5.x-final
Component:  Core Tor/Tor        |        Version:
 Severity:  Normal              |     Resolution:
 Keywords:  crypto regression?  |  Actual Points:
Parent ID:                      |         Points:
 Reviewer:                      |        Sponsor:
--------------------------------+------------------------------------

Comment (by nickm):

 Okay, I've investigated this a bit more.

 Changing TLS_DH_PRIME to a 2048-bit prime is easy enough; after doing so,
 the 0.3.5 unit tests almost pass at security level 2, and "make test-
 network" passes.

 In 0.2.9, increasing the TLS prime length to 2048 is also okay. However,
 in 0.2.9, raising the security level to 2 makes a few dozen unit tests
 fail.

 Here's what I'd propose:
   * Raise the TLS prime size to the 2048-bit named prime from RFC7919 in
 0.2.9 and forward, fixing unit tests as needed.
   * In versions before 0.3.4 or 0.3.5, move the
 SSL_CTX_set_security_level(1) call to only happen in the unit tests.
   * In 0.3.5, remove the SSL_CTX_set_security_level() call entirely, and
 fix the one failing unit test.

 (I only tested this with OpenSSL 1.1.0i -- there might well be
 compatibility issues with other versions for us to sort out.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27971#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #27971 [- Select a component]: Still supports 1024 bit keys
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #28127 [Core Tor/Tor]: Hidden service option HiddenServiceAuthorizeClient is incompatible with version 3
Next by Author: Re: [tor-bugs] #28085 [Core Tor/sbws]: Update key/values in the bandwidth file spec
Previous by thread: Re: [tor-bugs] #27971 [Core Tor/Tor]: Still supports 1024 bit keys
Next by thread: Re: [tor-bugs] #27971 [Core Tor/Tor]: Still supports 1024 bit keys
Index(es):
- Author
- Thread