Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase key size to 2048 bits #45

Merged
merged 3 commits into from
Apr 15, 2019
Merged

Increase key size to 2048 bits #45

merged 3 commits into from
Apr 15, 2019

Conversation

basak
Copy link
Member

@basak basak commented Apr 13, 2019

Debian changed the default security level to 2 since openssl package version 1.1.1~~pre9-1 (August 2018), which requires a minimum key size of 2048 bit or larger RSA and DHE keys. To avoid test failures on newer Debian systems against OpenSSL, use a key size of at least 2048 bits.

I guess another approach might be to adjust the way OpenSSL is used to somehow override CipherString in /etc/ssl/openssl.cnf at runtime. I'm not sure how to do that.

This is Debian bug 926652. The build failure is logged here (I'm not sure how long that will be retained for).

I intend to patch Debian with this soon, to allow python-trustme 0.4.0 to make the next Debian release, at least. Please let me know if you think this is the wrong thing to do.

@basak
Increase key size to 2048 bits
96b8799 
Debian changed the default security level to 2 since openssl package
version 1.1.1~~pre9-1 (August 2018), which requires a minimum key size
of 2048 bit or larger RSA and DHE keys. To avoid test failures on newer
Debian systems against OpenSSL, use a key size of at least 2048 bits.
@codecov
Copy link

codecov bot commented Apr 13, 2019
edited

Codecov Report

Merging #45 into master will not change coverage.
The diff coverage is 100%.

@@          Coverage Diff          @@
##           master    #45   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files           3      3           
  Lines         354    354           
  Branches       23     23           
=====================================
  Hits          354    354
Impacted Files Coverage Δ
trustme/__init__.py 100% <100%> (ø) ⬆️

@njsmith
Copy link
Member

njsmith commented Apr 14, 2019

Yeah, I guess we have no choice... on the "my laptop" benchmark, this seems to bump the time to issue a server cert up to 160 ms:

# 1024 bits (current)
In [4]: %timeit trustme.CA().issue_server_cert("localhost")                     
34.6 ms ± 4.97 ms per loop (mean ± std. dev. of 7 runs, 10 loops each)

# 2048 bits (this PR)
In [5]: trustme._KEY_SIZE = 2048                                                

In [6]: %timeit trustme.CA().issue_server_cert("localhost")                     
160 ms ± 11.4 ms per loop (mean ± std. dev. of 7 runs, 10 loops each)

Sad but not too bad. When people start requiring 4096 bit certs then we might need to think if there are any kluges we can do to speed things up...

@njsmith
Copy link
Member

njsmith commented Apr 14, 2019

I tightened up the comment a bit, directly in your branch.

Can you also add a newsfragment? Just something like newsfragments/45.bugfix.rst with contents Update key size to 2048 bits, as required by recent Debian.

@njsmith njsmith merged commit 15c60e6 into python-trio:master Apr 15, 2019
@njsmith
Copy link
Member

njsmith commented Apr 15, 2019

Thanks! And as per our contribution policy, I'm sending you a github invite now :-)

@pquentin pquentin mentioned this pull request Oct 28, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@basak @njsmith