Hello, Just had a query, from security point of view. Shouldn't dovecot-openssl.conf defaults now be 2048 bits? i.e. default_bits = 1024 I have read that 1024 bit certificates are now deprecated, since Dec 31, 2013. So may be we should have default as 2048 and can be changed manually if someone specifically wants 1024 or lower. Regards, A M
Am 22.04.2014 15:49, schrieb A M:> Just had a query, from security point of view. > > Shouldn't dovecot-openssl.conf defaults now be 2048 bits? > > i.e. default_bits = 1024 > > I have read that 1024 bit certificates are now deprecated, > since Dec 31, 2013if you really care you have to use 3072 and not 2048 and much more important get rid of SHA1 certs 3072 RSA matches AES128, for ECC 256 ________________________________________ here you go: http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report http://www.nsa.gov/business/programs/elliptic_curve.shtml -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 246 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20140422/c8a72422/attachment.sig>
Reasonably Related Threads
- Proposed patch: ssh-keygen allows writing to stdout for moduli generation
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- OT: SEP<mac addr>.cnf.xml file for 7911 with SIP 8.3.5 firmware
- [PATCH node] don't blacklist /etc/pki/tls/openssl.cnf
- my.cnf reading support in MySQL backend