[Ach] Thanks for the Logjam blog-post
Axel Hübl
axel.huebl at web.de
Thu May 21 15:17:01 CEST 2015
On 21.05.2015 15:04, Hanno Böck wrote:
> On Thu, 21 May 2015 14:40:06 +0200
> Aaron Zauner <azet at azet.org> wrote:
>
>> FYI: it doesn't currently check the length of the primes that it
>> received, but I figure this can be easily added.
>
> It does:
>
> if bits < 1024:
> print("\033[91m%i bits, that's very short and insecure, use
> 2048 bit or more\033[39m" % bits) elif bits < 2048:
> print("\033[93m%i bits, better use 2048 bit or more\033[39m" %
> bits) else:
> print("\033[92m%i bits, that should be long enough\033[39m" %
> bits)
Using openssl 1.0.1k and this stackoverflow article:
https://superuser.com/questions/905557/openssl-display-dh-parameters
one can also determine the dh param length without trace support (on a
debian stable ;) ).
echo | openssl s_client -connect bettercrypto.org:443 -msg \
-cipher "DH" 2>/dev/null \
| grep -A 1 "ServerKeyExchange"
TLS 1.2 Handshake [length 060f], ServerKeyExchange
0c 00 06 0b 02 00 c0 05 8e 20 30 57 fb 7f ca 67
|---------||-----||--> the actual modulus starts here ...
header len of
DH modulus
(hex) in bytes
for bettercrypto.org "0200" is 512 bytes of an integer (up to 4096 bits).
Correct?
Pretty convenient, isn't it? ^^
Axel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150521/d3ad89ab/attachment.sig>
More information about the Ach
mailing list