Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

genpkey generates short 1024-bit RSA keys by default? #8737

Closed
thanatos opened this issue Apr 13, 2019 · 0 comments

Comments

@thanatos
Copy link

commented Apr 13, 2019

The default key size for an RSA key generated with genpkey is 1024 bits:

» openssl genpkey -algorithm RSA 2>/dev/null | openssl rsa -noout -text | grep RSA
RSA Private-Key: (1024 bit, 2 primes)

The older (deprecated?) genrsa has a different default, of 2048 bits:

» openssl genrsa 2>/dev/null | openssl rsa -noout -text | grep RSA
RSA Private-Key: (2048 bit, 2 primes)

My understanding is that 1024-bit long keys are not considered secure these days. (And that CAs have required at least 2048 bits keys for RSA keys since 2014.) The difference between genrsa and genpkey makes me think this is a mistake. (I suspect genrsa, despite being superseded, is much more commonly used due to the number of examples on the Internet that use it.)

I am using OpenSSL v1.1.1b on Arch Linux:

» openssl version
OpenSSL 1.1.1b  26 Feb 2019

kroeckx added a commit to kroeckx/openssl that referenced this issue Apr 13, 2019

kroeckx added a commit to kroeckx/openssl that referenced this issue Apr 14, 2019

kroeckx added a commit to kroeckx/openssl that referenced this issue Apr 14, 2019

@levitte levitte closed this in 70b0b97 May 21, 2019

levitte pushed a commit that referenced this issue May 21, 2019

Change default RSA, DSA and DH size to 2048 bit
Fixes: #8737

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8741
(cherry picked from commit 70b0b97)

levitte pushed a commit that referenced this issue May 21, 2019

Change default RSA, DSA and DH size to 2048 bit
Fixes: #8737

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8741
(cherry picked from commit 70b0b97)

levitte pushed a commit that referenced this issue May 21, 2019

Change default RSA, DSA and DH size to 2048 bit
Fixes: #8737

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8741
(cherry picked from commit 70b0b97)

pps83 added a commit to pps83/openssl that referenced this issue May 31, 2019

Change default RSA, DSA and DH size to 2048 bit
Fixes: openssl#8737

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: openssl#8741

pps83 added a commit to pps83/openssl that referenced this issue May 31, 2019

Change default RSA, DSA and DH size to 2048 bit
Fixes: openssl#8737

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: openssl#8741
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.