On Wed, Feb 27, 2013 at 12:49:55AM +0530, Thulasi Goriparthi wrote:
> Or use another hash type for signature which can produce not more than 53
> bytes of hashed data. (i.e MD5, SHA1, SHA256, SHA384) while using 512-bit
> keys. OpenSSL by default uses SHA512 hash for signature. Change the code to
> use any other hash.
Interestingly enough, it is in fact SHA384 that fails with RSA-512. The
client and server agree on:
ECDHE-RSA-AES256-GCM-SHA384
> 512 bit(64 byte) RSA key can only encrypt 53 bytes at max. 64 - 11 byte
> padding and SHA512 produces 64 bytes of hashed data.
and the handshake fails when the client's key is RSA-512. Indeed
the shortest RSA key that seems to work is RSA-745, tests with
RSA-744 consistently fail. I don't know why the requisite key size
is substantially larger than the digest length + expected padding.
In any case, none of this should be exposed to the user. Ideally,
the client side should not offer ciphersuites it cannot use.
Perhaps the library does not generally know which if any client
key will be used until after the server's client certificate request.
The simplest answer is to avoid obsolete weak keys.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
