tls: require RSA certificates with 2048-bit or larger keys. #5318
Conversation
RSA certificates with keys smaller than 2048-bits are disallowed by NIST, Internet migrated to 2048-bit keys in 2013, and no CAs issue certificates with smaller keys, so we let's prevent users from accidentally using such certificates. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
source/common/ssl/context_impl.cc
Outdated
| RSA* rsa_public_key = EVP_PKEY_get0_RSA(public_key.get()); | ||
| // Since we checked the key type above, this should be valid. | ||
| ASSERT(rsa_public_key != nullptr); | ||
| int rsa_key_length = RSA_size(rsa_public_key); |
There was a problem hiding this comment.
Nit: const int (maybe switch to unsigned for later arithmetic..).
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
|
I think this is fine. Issues that I would expect would come from people doing dummy setups with keys generated by As for FIPS, as far as BoringSSL is concerned, FIPS RSA keys are either exactly 2048 or 3072 bits. I believe that's true of any FIPS approved module given FIPS 186-4 section 5.1:
However, imposing FIPS requirements more generally is probably not appropriate. For example, it's probably not reasonable for Envoy to disallow 4096-bit RSA by default. |
|
What are the chances that someone is using a 1024-bit key in production? I don't have any sense of the likelihood of this. If it's basically 0% this is fine with me. If higher perhaps we should config guard this and default to on? Thoughts? |
|
@agl this PR is specifically about rejecting RSA certificates with keys smaller than 2048 bits in all builds (FIPS and non-FIPS). We can (should?) add more requirements the FIPS PR and guard them with @mattklein123 there is 0% chance of this happening on the edge / public Internet, since no browsers accept such certificates and no CAs issue them... However, if there are people using self-signed certificates (i.e. produced using |
…xy#5318) RSA certificates with keys smaller than 2048-bits are disallowed by NIST, Internet migrated to 2048-bit keys in 2013, and no CAs issue certificates with smaller keys, so we let's prevent users from accidentally using such certificates. Signed-off-by: Piotr Sikora <piotrsikora@google.com> Signed-off-by: Fred Douglas <fredlas@google.com>
RSA certificates with keys smaller than 2048-bits are disallowed by NIST,
Internet migrated to 2048-bit keys in 2013, and no CAs issue certificates
with smaller keys, so let's prevent users from accidentally using such
certificates.
Signed-off-by: Piotr Sikora piotrsikora@google.com