Gitweb:
https://git.exim.org/exim.git/commitdiff/6aac3239b4ce9638c2c5647684dc4ff2a6afbb42
Commit: 6aac3239b4ce9638c2c5647684dc4ff2a6afbb42
Parent: f94aac30115bc94f2a1c8e3536ad7d40e7e4f302
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Nov 28 19:45:24 2018 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed Nov 28 21:41:01 2018 +0000
TLS: Increase RSA keysize of autogen selfsign cert
---
doc/doc-txt/ChangeLog | 5 +++++
src/src/tls-gnu.c | 4 ++--
src/src/tls-openssl.c | 2 +-
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f575a10..1bf6110 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -155,6 +155,11 @@ JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the
$authenticated_fail_id variable on authentication failure. Previously
it was unset.
+JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048. RHEL 8.0
+ OpenSSL didn't want to use such a weak key. Do for GnuTLS also, and for
+ more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to
+ GNUTLS_SEC_PARAM_MEDIUM.
+
Exim version 4.91
-----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 3e7e8f9..25fe2f4 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -787,9 +787,9 @@ if ((rc = gnutls_x509_crt_init(&cert))) goto err;
where = US"generating pkey";
if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
#ifdef SUPPORT_PARAM_TO_PK_BITS
- gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
+ gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
#else
- 1024,
+ 2048,
#endif
0)))
goto err;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 3299c20..cd11f65 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1174,7 +1174,7 @@ if (!(x509 = X509_new()))
goto err;
where = US"generating pkey";
-if (!(rsa = rsa_callback(NULL, 0, 1024)))
+if (!(rsa = rsa_callback(NULL, 0, 2048)))
goto err;
where = US"assigning pkey";
