Robert, On 3/10/15 12:16 PM, Robert Paasche wrote: > Explained code changes: > > Get the Privatekey: > pkey = SSL_get_privatekey(ssl); > type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; > > if the encryption algorithem is either RSA or DSA we override the given > keylen parameter to match the length of the private key: > keylen = EVP_PKEY_bits(pkey);
I think we might also want to change the "switch" at the bottom of the function to instead check ranges of bits rather than exact sizes. Due to a typo in generating a certificate at some point, we had a server certificate with a 4906-bit key. Yes, that's four-nine-oh-six bits instead of 4096-bit. (Note that there were some SSL stacks that couldn't handshake with us because of inflexible acceptable key lengths.) Given the switch statement that's in sslcontext.c, we'd end up with a 1024-bit DH key instead of the more appropriate and available 4096-bit key. -chris
signature.asc
Description: OpenPGP digital signature
