[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Feature req: DH prime bitsize query
From: |
Janne Snabb |
Subject: |
Re: Feature req: DH prime bitsize query |
Date: |
Sun, 27 May 2012 08:47:26 +0000 (UTC) |
On Sun, 27 May 2012, Phil Pennock wrote:
> When gnutls_dh_params_generate2() is used to generate DH parameters of a
> particular size, it has a tendency to overshoot.
>
> Asking for 2236 bits, a 2237 bit prime seems to be fairly common.
Ouch!
> Could GnuTLS 3 *please* get an API call to find out the size in bits of
> the DH prime in a gnutls_dh_params_t ? Perhaps even add a query mode to
> certtool?
New version of certtool prints out the number of bits. Are you looking
for this:
$ certtool --dh-info --infile=/var/spool/exim4/gnutls-params-2236
Generator (8 bits): 02
Prime (2240 bits):
0f:00:55:99:82:cb:c0:eb:42:eb:ef:33
[..]
The --dh-info option does not seem to be available in Ubuntu packaged
gnutls-bin version 3.0.11+really2.12.14-5ubuntu3 (wtf?) but gnutls-bin
version 3.0.19-2 on debian "sid" has the --dh-info option. I did not
have time now to look how it gets the information.
Appears that I have 2240 bits when Exim had asked for 2236. Which means
that Thunderbird/NSS would not be able to negotiate DHE-RSA with this
server :(.
--
Janne Snabb / EPIPE Communications
address@hidden - http://epipe.com/