Remove support for 512- and 1024-bit Diffie-Hellman.
authorBen Pfaff <blp@nicira.com>
Wed, 19 Mar 2008 16:37:11 +0000 (09:37 -0700)
committerBen Pfaff <blp@nicira.com>
Wed, 19 Mar 2008 16:37:11 +0000 (09:37 -0700)
As Justin points out, these key lengths are too low-security to be acceptable
any longer.

lib/Makefile.am
lib/dh1024.pem [deleted file]
lib/dh512.pem [deleted file]
lib/dhparams.h
lib/vconn-ssl.c

index 1ef8bd03e29a666116df58b8d99a075a170e03af..58b9b9e5518a2f71077b4c548b8d343a1fa0848f 100644 (file)
@@ -30,10 +30,8 @@ if HAVE_OPENSSL
 libopenflow_la_SOURCES += \
        vconn-ssl.c \
        dhparams.c
-dhparams.c: dh512.pem dh1024.pem dh2048.pem dh4096.pem
+dhparams.c: dh2048.pem dh4096.pem
        (echo '#include "dhparams.h"' &&                        \
-        openssl dhparam -C -in $(srcdir)/dh512.pem -noout &&   \
-        openssl dhparam -C -in $(srcdir)/dh1024.pem -noout &&  \
         openssl dhparam -C -in $(srcdir)/dh2048.pem -noout &&  \
         openssl dhparam -C -in $(srcdir)/dh4096.pem -noout)    \
        | sed 's/\(get_dh[0-9]*\)()/\1(void)/' > dhparams.c.tmp
diff --git a/lib/dh1024.pem b/lib/dh1024.pem
deleted file mode 100644 (file)
index 6eaeca9..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
-jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
-ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
------END DH PARAMETERS-----
-
-These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
-(http://www.skip-vpn.org/spec/numbers.html).
-See there for how they were generated.
-Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/lib/dh512.pem b/lib/dh512.pem
deleted file mode 100644 (file)
index 200d16c..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN DH PARAMETERS-----
-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
------END DH PARAMETERS-----
-
-These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
-(http://www.skip-vpn.org/spec/numbers.html).
-See there for how they were generated.
-Note that g is not a generator, but this is not a problem since p is a safe prime.
index 75e0ebee338b8eb22ff65b83385cdd0b6c20defc..0daeb55fc7416dc2615081599f9156ce19f14949 100644 (file)
@@ -3,8 +3,6 @@
 
 #include <openssl/dh.h>
 
-DH *get_dh512(void);
-DH *get_dh1024(void);
 DH *get_dh2048(void);
 DH *get_dh4096(void);
 
index 32c61f1225bf6cbbb638212f7b0b38d65f4caf81..e243b3c91f1d8ca473b511b5caa6a9950554798b 100644 (file)
@@ -673,8 +673,6 @@ tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength)
     };
 
     static struct dh dh_table[] = {
-        {512, NULL, get_dh512},
-        {1024, NULL, get_dh1024},
         {2048, NULL, get_dh2048},
         {4096, NULL, get_dh4096},
     };