[Ach] Thanks for the Logjam blog-post
Axel Huebl
axel.huebl at plasma.ninja
Thu May 21 15:44:18 CEST 2015
On 21.05.2015 15:17, Axel Hübl wrote:
> On 21.05.2015 15:04, Hanno Böck wrote:
>> On Thu, 21 May 2015 14:40:06 +0200
>> Aaron Zauner <azet at azet.org> wrote:
>>
>>> FYI: it doesn't currently check the length of the primes that it
>>> received, but I figure this can be easily added.
>>
>> It does:
>>
>> if bits < 1024:
>> print("\033[91m%i bits, that's very short and insecure, use
>> 2048 bit or more\033[39m" % bits) elif bits < 2048:
>> print("\033[93m%i bits, better use 2048 bit or more\033[39m" %
>> bits) else:
>> print("\033[92m%i bits, that should be long enough\033[39m" %
>> bits)
>
> Using openssl 1.0.1k and this stackoverflow article:
>
> https://superuser.com/questions/905557/openssl-display-dh-parameters
>
> one can also determine the dh param length without trace support (on a
> debian stable ;) ).
>
> echo | openssl s_client -connect bettercrypto.org:443 -msg \
> -cipher "DH" 2>/dev/null \
> | grep -A 1 "ServerKeyExchange"
>
> TLS 1.2 Handshake [length 060f], ServerKeyExchange
> 0c 00 06 0b 02 00 c0 05 8e 20 30 57 fb 7f ca 67
> |---------||-----||--> the actual modulus starts here ...
> header len of
> DH modulus
> (hex) in bytes
>
> for bettercrypto.org "0200" is 512 bytes of an integer (up to 4096 bits).
>
>
> Correct?
> Pretty convenient, isn't it? ^^
>
>
> Axel
ok, everybody likes one-liners I guess:
server=bettercrypto.org && echo | openssl s_client -connect $server:443
-msg -cipher "DH" 2>/dev/null | grep -A 1 "ServerKeyExchange" | tail -n1
| awk '{print strtonum("0x"$5$6)*8}'
> 4096
Axel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150521/6c973f8a/attachment.sig>
More information about the Ach
mailing list