-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: require RSA certificates with 2048-bit or larger keys. #5318
Conversation
RSA certificates with keys smaller than 2048-bits are disallowed by NIST, Internet migrated to 2048-bit keys in 2013, and no CAs issue certificates with smaller keys, so we let's prevent users from accidentally using such certificates. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works from a Google perspective, so LGTM. Will wait for others to comment before merging.
source/common/ssl/context_impl.cc
Outdated
RSA* rsa_public_key = EVP_PKEY_get0_RSA(public_key.get()); | ||
// Since we checked the key type above, this should be valid. | ||
ASSERT(rsa_public_key != nullptr); | ||
int rsa_key_length = RSA_size(rsa_public_key); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: const int
(maybe switch to unsigned for later arithmetic..).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks!
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
I think this is fine. Issues that I would expect would come from people doing dummy setups with keys generated by As for FIPS, as far as BoringSSL is concerned, FIPS RSA keys are either exactly 2048 or 3072 bits. I believe that's true of any FIPS approved module given FIPS 186-4 section 5.1:
However, imposing FIPS requirements more generally is probably not appropriate. For example, it's probably not reasonable for Envoy to disallow 4096-bit RSA by default. |
What are the chances that someone is using a 1024-bit key in production? I don't have any sense of the likelihood of this. If it's basically 0% this is fine with me. If higher perhaps we should config guard this and default to on? Thoughts? |
@agl this PR is specifically about rejecting RSA certificates with keys smaller than 2048 bits in all builds (FIPS and non-FIPS). We can (should?) add more requirements the FIPS PR and guard them with @mattklein123 there is 0% chance of this happening on the edge / public Internet, since no browsers accept such certificates and no CAs issue them... However, if there are people using self-signed certificates (i.e. produced using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't need to be perfectionist on being non-breaking for test/dev setups, so if production is close to zero likelihood, LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
…xy#5318) RSA certificates with keys smaller than 2048-bits are disallowed by NIST, Internet migrated to 2048-bit keys in 2013, and no CAs issue certificates with smaller keys, so we let's prevent users from accidentally using such certificates. Signed-off-by: Piotr Sikora <piotrsikora@google.com> Signed-off-by: Fred Douglas <fredlas@google.com>
RSA certificates with keys smaller than 2048-bits are disallowed by NIST,
Internet migrated to 2048-bit keys in 2013, and no CAs issue certificates
with smaller keys, so let's prevent users from accidentally using such
certificates.
Signed-off-by: Piotr Sikora piotrsikora@google.com