Module: ngircd.git Branch: master Commit: 49b2d0ec98d001fbc8eedd5a183d66974f70fd52 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=49b2d...

Author: Florian Westphal fw@strlen.de Date: Sat Jun 4 22:57:29 2011 +0200

ssl: gnutls: bump dh bitsize to 2048

problem is that some clients refuse to connect to severs that only offer 1024. For interoperability it would be best to just use 4096, but that takes minutes, even on current hardware.

---

doc/SSL.txt | 4 ++-- src/ngircd/conn-ssl.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/SSL.txt b/doc/SSL.txt index 394894a..b98c2fb 100644 --- a/doc/SSL.txt +++ b/doc/SSL.txt @@ -51,7 +51,7 @@ OpenSSL: Creating a self-signed certificate and key: $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461 Create DH parameters (optional): - $ openssl dhparam -2 -out dhparams.pem 2048 + $ openssl dhparam -2 -out dhparams.pem 4096

GnuTLS:

@@ -59,7 +59,7 @@ Creating a self-signed certificate and key: $ certtool --generate-privkey --bits 2048 --outfile server-key.pem $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem Create DH parameters (optional): - $ certtool --generate-dh-params --bits 2048 --outfile dhparams.pem + $ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem

Alternate approach using stunnel(1) diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index edcc5bd..7630420 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -51,7 +51,7 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c )); #include <unistd.h> #include <gnutls/x509.h>

-#define DH_BITS 1024 +#define DH_BITS 2048 static gnutls_certificate_credentials_t x509_cred; static gnutls_dh_params_t dh_params;