[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Feature req: DH prime bitsize query
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Feature req: DH prime bitsize query |
|
Date: |
Sun, 27 May 2012 13:06:00 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120510 Icedove/10.0.4 |
On 05/27/2012 10:47 AM, Janne Snabb wrote:
> On Sun, 27 May 2012, Phil Pennock wrote:
>
>> When gnutls_dh_params_generate2() is used to generate DH parameters of a
>> particular size, it has a tendency to overshoot.
>>
>> Asking for 2236 bits, a 2237 bit prime seems to be fairly common.
>
> Ouch!
>
>> Could GnuTLS 3 *please* get an API call to find out the size in bits of
>> the DH prime in a gnutls_dh_params_t ? Perhaps even add a query mode to
>> certtool?
>
> New version of certtool prints out the number of bits. Are you looking
> for this:
>
> $ certtool --dh-info --infile=/var/spool/exim4/gnutls-params-2236
> Generator (8 bits): 02
>
> Prime (2240 bits):
> 0f:00:55:99:82:cb:c0:eb:42:eb:ef:33
> [..]
That number is an overestimation. It is the number of bytes in the
number times 8, thus a function that returns a more precise number would
improve this aspect as well.
regards,
Nikos