[PATCH 2/2] virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()

Michal Prívozník mprivozn at redhat.com
Mon Jan 3 08:38:09 UTC 2022

On 12/22/21 14:12, Ján Tomko wrote:
> On a Tuesday in 2021, Michal Privoznik wrote:
>> As encryption norms get more strict it's easy to fall on the
>> insecure side. For instance, so far we are generating 2048 bits
>> long prime for Diffie-Hellman keys. Some systems consider this
>> not long enough. While we may just keep increasing the value
>> passed to the corresponding gnutls_* function, that is not well
>> maintainable. Instead, we may do what's recommended in the
> Is there a promise gnutls will increase those in the future?
>> gnutls_* manpage. From gnutls_dh_params_generate2(3):
>>  It is recommended not to set the number of bits directly, but
>>  use gnutls_sec_param_to_pk_bits() instead.
>> Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
>> bits corresponds to parameter MEDIUM. Therefore, we want to chose
>> the next size (HIGH) to be future proof.
> IMO this patch should use MEDIUM and the bump should be separate.

Good point, let me merge this with MEDIUM and post switch to HIGH in a
separate patch.


More information about the libvir-list mailing list