Nelson B Bolyard wrote:
Rui Hodai wrote, On 2009-01-20 16:37:
I found the 1024 bits keys are used as DHE key irrespective of
SSL certificates when I captured communication packets from
between Firefox3 and Apache+OpenSSL.
Right. DHE is not tied to the sizes of keys in certs.
-Which decide the DHE key size ?
e.g. SSL server(Apache+OpenSSL etc.), Firefox3
The server chooses P and g, and P determines key size.
...
The NSS libraries provide access to that information, but whether or
not the browser displays it is entirely up to the browser, not to NSS.
How do I access this information? Is it also available via JSS?
I'm trying to figure out how to restrict key sizes to 2048 or larger
to be in compliance with NIST's recommended key sizes in 2011
(SP 800-57).
With the org.mozilla.jss.ssl.SSLCertificateApprovalCallback class, I
believe I can restrict RSA/DSA to 2048-bit or higher by inspecting
the public key on the certificate. (Essentially, our client would
refuse to talk to the server if the key size wasn't large enough.)
I don't see how to restrict the DH key sizes.
Thank you.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
