bsmith: the Diffie-Hellman private keys generated by NSS are hardcoded to be 160 bits long: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/dh.c&rev=1.11&mark=24#24
The private key length should be the same as the length of the q parameter. So for a 2048-bit p, q should be either 224 or 256 bits. A 160-bit q is only appropriate for a 1024-bit p. Private key length should max out at 512 bits (at the 256-bit security level). We can come up with a step function that returns these discrete private key lengths depending on the size of p: 160 bits 224 bits 256 bits 384 bits 512 bits See NIST SP 800-57, Table 2 and http://www.keylength.com/en/4/ -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1002434 Title: TLS interoperability issue in NSS based software Status in Network Security Services (NSS): In Progress Status in Mozilla Thunderbird Mail and News: In Progress Status in “firefox” package in Ubuntu: Triaged Status in “nss” package in Ubuntu: Triaged Status in “thunderbird” package in Ubuntu: Triaged Bug description: NSS (Netscape Security Services) module provides encryption services to many applications, such as Thunderbird, Firefox and Chromium. NSS has a hard coded maximum limit of 2236 bits for ephemeral Diffie- Hellman (DHE) keys. If the TLS server (such as a web server, SMTP server, IMAP server, etc) requests a bigger DHE key size, NSS based applications refuse to interoperate. They just close the connection and display a confusing error message (such as "Unknown error"). Recent versions of GnuTLS (as shipped by Ubuntu and other distributions) include a new library API which recommends and automatically selects the following key sizes: Security level key bits LOW 1248 LEGACY 1776 NORMAL 2432 HIGH 3248 See the following for more information: https://www.gnu.org/software/gnutls/manual/html_node/Selecting- cryptographic-key-sizes.html As can be seen, NSS's maximum limit of 2236 bits can only interoperate with GnuTLS server which has been set at "LOW" or "LEGACY" security level. This bug was discovered when Exim's GnuTLS interface was revamped recently. Thunderbird refused to complete TLS handshake with the Exim SMTP server any more, because the new GnuTLS interface was following the GnuTLS library's opinion on suitable key sizes. Please patch the NSS library to accept reasonable key sizes: at the very least 3248 bits should be accepted to allow interoperability with GnuTLS at HIGH level. NSS is the only TLS library which has such a low hard limit on DHE key size. The only reason people are not hitting this bug frequently yet is that most main stream server software still does not use GnuTLS library's new API or recommendations but instead hard codes the DHE key size to 1024 or 2048 bits. I am attaching a patch which points out the relevant #define in blapit.h. To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/1002434/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
