[PATCH] virnettlscontext: Generate longer DH keys

Michal Privoznik mprivozn at redhat.com
Mon Jan 3 12:01:23 UTC 2022

Currently, we generate 2048 bits long DH keys. This may look
enough, but it's not very future proof. When system crypto policy
is tightened only 3072 or longer keys are valid. From

    A conservative security policy that is believed to withstand
    any near-term future attacks. ...

      •   DH params size: >= 3072
      •   RSA keys size: >= 3072

This policy corresponds to GNUTLS_SEC_PARAM_HIGH parameters.
Therefore, pass that to gnutls_sec_param_to_pk_bits() to get
longer key.

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>

Technically, this is a v2 of:


and was already reviewed. I'm sending it here because I've split the
original patch into two. The first one, which switches to
gnutls_sec_param_to_pk_bits() usage is merged. The second one (this one)
which lengthens the key is not.

 src/rpc/virnettlscontext.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 55da485f96..f0b1e8f9c1 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -718,7 +718,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
     if (isServer) {
         unsigned int bits = 0;
-        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
+        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
         if (bits == 0) {
             virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                            _("Unable to get key length for diffie-hellman parameters"));

More information about the libvir-list mailing list