Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 Apr 2000 16:16:13 -0700 (PDT)
From:      Kris Kennaway <kris@FreeBSD.org>
To:        Mikhail Teterin <mi@mail.virtual-estates.net>
Cc:        stable@FreeBSD.org
Subject:   Re: openssl broken in 4.0?
Message-ID:  <Pine.BSF.4.21.0004071609050.7035-100000@freefall.freebsd.org>
In-Reply-To: <200004072156.RAA01154@mail.virtual-estates.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 7 Apr 2000, Mikhail Teterin wrote:

> > Is the other  end trying to use  a >1024 bit key?  RSAREF can't handle
> > those.
> 
> It is quite possible, actually... Is there  an easy way to find out? Why
> did this limitation suddenly appear? Will it go away? Thanks!

The openssl(1) command can parse the keys and show you how big they are.

OpenSSL doesn't report a specific error condition for "key too big" in the
RSAREF + large key case, so there's currently no automatic way for an
application to detect it. I fixed OpenSSH to display an error message when
it encounters this condition by explicitly checking the key size if an RSA
operation fails and openssl is using RSAREF, but the library itself won't
currently complain. Actually I should go back and see if there's a way I
can make it do so.

RSAREF has always had this limitation on keysize - in fact it would be
easy to remove the limitation, but according to the license terms you're
not allowed to make functional changes to the code. If this is actually
the cause of your problem, and you didnt see it before I can only assume
your openssl port wasn't compiled with USA_RESIDENT=yes and was thus using
the native RSA implementation.

This won't be an issue any longer after 9/20/2000 when the RSA patent
expires and we can put back the native openssl RSA encryption for US
folks.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004071609050.7035-100000>