On Wed, Feb 27, 2013 at 1:39 AM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote:
> On Wed, Feb 27, 2013 at 12:49:55AM +0530, Thulasi Goriparthi wrote: > > > Or use another hash type for signature which can produce not more than 53 > > bytes of hashed data. (i.e MD5, SHA1, SHA256, SHA384) while using 512-bit > > keys. OpenSSL by default uses SHA512 hash for signature. Change the code > to > > use any other hash. > > Interestingly enough, it is in fact SHA384 that fails with RSA-512. The > client and server agree on: > > ECDHE-RSA-AES256-GCM-SHA384 > Signature Hash type is not controlled by the CipherSuite and can be dynamically chosen by Signer. First two bytes of signature(prepended) will give us the information about the private key type and hash type that were used to do the signing. These additional two bytes will also be received along with signature for the verification. > > > 512 bit(64 byte) RSA key can only encrypt 53 bytes at max. 64 - 11 byte > > padding and SHA512 produces 64 bytes of hashed data. > > and the handshake fails when the client's key is RSA-512. Indeed > the shortest RSA key that seems to work is RSA-745, tests with > RSA-744 consistently fail. I don't know why the requisite key size > is substantially larger than the digest length + expected padding. > > In any case, none of this should be exposed to the user. Ideally, > the client side should not offer ciphersuites it cannot use. > Perhaps the library does not generally know which if any client > key will be used until after the server's client certificate request. > > The simplest answer is to avoid obsolete weak keys. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
