[PATCH] virnettlscontext: Generate longer DH keys

Currently, we generate 2048 bits long DH keys. This may look enough, but it's not very future proof. When system crypto policy is tightened only 3072 or longer keys are valid. From CRYPTO-POLICIES(7): FUTURE A conservative security policy that is believed to withstand any near-term future attacks. ... • DH params size: >= 3072 • RSA keys size: >= 3072 This policy corresponds to GNUTLS_SEC_PARAM_HIGH parameters. Therefore, pass that to gnutls_sec_param_to_pk_bits() to get longer key. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- Technically, this is a v2 of: https://listman.redhat.com/archives/libvir-list/2021-December/msg00827.html and was already reviewed. I'm sending it here because I've split the original patch into two. The first one, which switches to gnutls_sec_param_to_pk_bits() usage is merged. The second one (this one) which lengthens the key is not. src/rpc/virnettlscontext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 55da485f96..f0b1e8f9c1 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -718,7 +718,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert, if (isServer) { unsigned int bits = 0; - bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM); + bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH); if (bits == 0) { virReportError(VIR_ERR_SYSTEM_ERROR, "%s", _("Unable to get key length for diffie-hellman parameters")); -- 2.34.1