Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen
jasonwc at brandeis.edu
Fri Sep 29 14:45:20 CEST 2006
Alan DeKok wrote:
> Jason Wittlin-Cohen <jasonwc at brandeis.edu> wrote:
>
>> I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
>>
>
> If you're talking about the key length in the EAP-TLS module, it
> looks like those aren't being used for anything. See the source.
>
> It does look like the EAP-TLS code is setting a 512-bit ephemeral
> RSA key, but my reading of the OpenSSL docs indicates it won't be
> used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code
> could be deleted entirely.
>
>
>> I originally thought that the DH
>> keysize would be determined by the DH parameter file and only realized
>> that it was still using 512 bit keys when I ran freeradius in debug
>> mode.
>>
>
> Which prints out configuration entries that aren't being used.
>
> $ cd src/modules/rlm_eap
> $ grep -r key_length .
> ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length,
> ./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length,
> ./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER,
> ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" },
> ./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER,
> ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" },
> ./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length;
> ./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length;
>
> See? They're config options that aren't used. They should be deleted.
>
So, if dh_key_length is being ignored, how is the DH key size
determined? By the DH parameter file?
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060929/920613c9/attachment.html>
More information about the Freeradius-Users
mailing list