1:57 a.m.
In not so distant past (v6.5.0~3) I've updated the private key we
use for virnettls* tests. Back then I was driven by Fedora 33
change which deprecated RSA-1024 which we used back then. I
generated an EC-384 key which was fine as it was considered
strong enough until RHEL-9 came along. RHEL-9 no longer considers
any of EC keys strong enough (for key exchange) and thus we're
back to RSA, but this time with 2048 bits. Generated by this cmd
line:
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
Honestly, I don't fully understand why EC is not good enough. If I run
'gnutls-cli --list' on a RHEL-9 box and Rawhide box the output is the
same except for 'Groups' line where Rawhide contains 'GROUP-GC256B,
GROUP-GC512A' on the top of what RHEL-9 has.
And I can even find the following:
enabled-curve = SECP384R1
in /usr/share/crypto-policies/DEFAULT/gnutls.txt on the RHEL-9 box. This
all makes me think that something else must be going on, but I have no
mental capacity to debug any further.
tests/virnettlshelpers.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/tests/virnettlshelpers.c b/tests/virnettlshelpers.c
index 905e633e60..1886b4b5f5 100644
--- a/tests/virnettlshelpers.c
+++ b/tests/virnettlshelpers.c
@@ -47,10 +47,32 @@ extern const asn1_static_node pkix_asn1_tab[];
gnutls_x509_privkey_t privkey;
# define PRIVATE_KEY \
"-----BEGIN PRIVATE KEY-----\n" \
- "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD39t6GRLeEmsYjRGR6\n" \
- "iQiIN2S4zXsgLGS/2GloXdG7K+i/3vEJDt9celZ0DfCLcG6hZANiAAQTJIe13jy7\n" \
- "k4KTXMkHQHEJa/asH263JaPL5kTbfRa6tMq3DS3pzWlOj+NHY/9JzthrKD+Ece+g\n" \
- "2g/POHa0gfXRYXGiHTs8mY0AHFqNNmF38eIVGjOqobIi90MkyI3wx4g=\n" \
+ "MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCo5oG7tx5EGtHW\n" \
+ "ZNHNG8lOei7IEuL6N39/Gkhl7XHXBmb2+Q+iGDI7uhzni/2/A6cUsPMKS4YWn74h\n" \
+ "NLDyBuB7Fge5iYooKYqb9FyPWLmkAXGOaLMwxEpp2yZUusVLxZ3USeHtVK6e6sXV\n" \
+ "x1hTxuntqPW4kZ7gaDWw27I3CBugiLptxb0M2ENRLyCkLKgyYf3PlnpD1ifupVgO\n" \
+ "WNLjkoNgjSTOtnFkYQHm/sk37nrzj7yqzo46CeSGEAopnfQ5UaIv21DLyKQKmZfh\n" \
+ "aWbDvQq/hDxLbG+nm79DZBHxe9uX9XWeuHp7AWo7G4MTyU7NHj3aMNR8tfdPjF81\n" \
+ "2Hbbk+XrAgMBAAECggEAHKXcY2aP76VM6jx3iX6pCnKW9MCfVymKqphep0s6/+nK\n" \
+ "FSHxkODhxFexB2UrSPbppAzPbHOa7sNxkFhLmwGnmbkG3mWB1YYWSJWODZJTCopk\n" \
+ "JG+F1UO2C3Zsbfqv9EY0mwldFNBEPhg8LiJ9zNf0XadG5mNsu0txr+nTtJnfdb70\n" \
+ "k/Af/usszzxSbNZCwmfR4DeS3Nmsi4jpn0XJ/otKQR/up4snjH9rIv8ybArZVJFP\n" \
+ "/sGL725jz671O8u5JJ4iLVbI+y7nyxiHDJMCJtg9S0TAeCXR1XdJXWzcwPFpQrMq\n" \
+ "HtkdgdHhMOJEloQzEgp98KYzJr5eiwF/jMAC37IBQQKBgQDdGYjC7ckZ4xETBjn0\n" \
+ "S/Q6aePYte0Z5RCReoamHmUgrQNe+y7Ts6owSFGr5WUG7euQ6Rq2ewsQQOlU1LeX\n" \
+ "JD7YtsHxwSc+aruxuyVcu5uARcoHDYHMV9y8QZkTt9PutApOBB5yfhjkDn09Eask\n" \
+ "ZwG4hfVQxqKZDTj/thUvmIJ7AwKBgQDDj6OZgpE9pBLGwBvMHLhIDGaPw/jeA+2k\n" \
+ "8xYJqj+y7YXoqNY2/C8LC/fiA9Zu+AnzMZeXm8CS6OA3P7C6e82iDtz6xSzMG3vV\n" \
+ "onzQahdP/a/9HtHP6e2mr9jx7odbPzL9Lr9U1w+ymramtzTh8P3YcMlKe7qgpULT\n" \
+ "JjuYVXjA+QKBgDCMCMF0YLG0b+1Tcqo3ezrQQV02JQeIimjHFIWpKt9P3eufD5sg\n" \
+ "WgAcAQLTball2FGLPXhP8A/zkMg1pNIk/T+scU1Z8fn8iZXu17dS4kP6DvAZgSST\n" \
+ "Lj6P0MLJnFlPYuvab60IDwMUQ1+DX6awj2oqz8CavN0KUDeljWVUAWJtAoGBAKC9\n" \
+ "tA89zvwHnJdY2IBRKvetma+ZuTljqTXnyLlxAqKjsWmnPUw8xL4jvEA+P0c/AY6v\n" \
+ "uJaZIxSd7Y37/9uIX2FRLjnBUC0EeikDQexdB4RsVPeNGY/4C6ry5zMUiJVrwRFy\n" \
+ "Fzo4+2Im4PLvq7v7Retd6VYblS7uJ5s+1cVEm9ihAn9W1kDj9xEwwLUfkhCtQSiN\n" \
+ "OXADB8Xz/BEtJJoRxf2S0tz3qUBrd7hHG5nfV3tEpU6nP8bFyLU0MIuzV3uRIiov\n" \
+ "JPmdRRv4QcweRiPX5kPheanGHvfclMP5mhqLju/NFLqlS13P2/BNQG2XgtkolE4s\n" \
+ "/hUIAHybIAqkE5/BlQjA\n" \
"-----END PRIVATE KEY-----\n"
/*
--
2.31.1
4:25 a.m.
On Tue, Jul 13, 2021 at 08:57:30 +0200, Michal Privoznik wrote:
In not so distant past (v6.5.0~3) I've updated the private key
we
use for virnettls* tests. Back then I was driven by Fedora 33
change which deprecated RSA-1024 which we used back then. I
generated an EC-384 key which was fine as it was considered
strong enough until RHEL-9 came along. RHEL-9 no longer considers
any of EC keys strong enough (for key exchange) and thus we're
back to RSA, but this time with 2048 bits. Generated by this cmd
line:
I'd go for 4096 bits to stay ahead a bit.
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
My quick google search yielded just some JDK changes for improving the
implementation of EC algorithms:
https://bugs.openjdk.java.net/browse/JDK-8208698
but nothing that would state it's no longer secure or anything.
Either way.
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
7:16 a.m.
On 7/13/21 11:25 AM, Peter Krempa wrote:
On Tue, Jul 13, 2021 at 08:57:30 +0200, Michal Privoznik wrote:
> In not so distant past (v6.5.0~3) I've updated the private key we
> use for virnettls* tests. Back then I was driven by Fedora 33
> change which deprecated RSA-1024 which we used back then. I
> generated an EC-384 key which was fine as it was considered
> strong enough until RHEL-9 came along. RHEL-9 no longer considers
> any of EC keys strong enough (for key exchange) and thus we're
> back to RSA, but this time with 2048 bits. Generated by this cmd
> line:
I'd go for 4096 bits to stay ahead a bit.
>
> openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
>
> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
> ---
My quick google search yielded just some JDK changes for improving the
implementation of EC algorithms:
https://bugs.openjdk.java.net/browse/JDK-8208698
but nothing that would state it's no longer secure or anything.
Either way.
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
Alright, so after more debugging this turned out to be a bug in
crypto-policies package in RHEL-9. It's fixed by the following commit:
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a5e64bb9...
And I can confirm that with that commit the virnettlssessiontest passes
again. Thus I think this patch can be discarded.
Michal
1263
days inactive
1263
days old
2 comments
3 participants
participants (3)
-
Michal Privoznik -
Michal Prívozník
-
Peter Krempa