Re: [PATCH 2/2] virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()

On a Tuesday in 2021, Michal Privoznik wrote: > As encryption norms get more strict it's easy to fall on the > insecure side. For instance, so far we are generating 2048 bits > long prime for Diffie-Hellman keys. Some systems consider this > not long enough. While we may just keep increasing the value > passed to the corresponding gnutls_* function, that is not well > maintainable. Instead, we may do what's recommended in the Is there a promise gnutls will increase those in the future? > gnutls_* manpage. From gnutls_dh_params_generate2(3): > >  It is recommended not to set the number of bits directly, but >  use gnutls_sec_param_to_pk_bits() instead. > > Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048 > bits corresponds to parameter MEDIUM. Therefore, we want to chose > the next size (HIGH) to be future proof. IMO this patch should use MEDIUM and the bump should be separate.