diff options
| author | Jack Lloyd <[email protected]> | 2016-12-30 19:59:15 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-12-30 19:59:15 -0500 |
| commit | b910602f3af678fe02852cb83df95f0619efbf35 (patch) | |
| tree | 2a7e512ef947f7b29161babb6cceae566db16b68 /src/lib | |
| parent | be0f1c1cabdbd787cf3ad65a0dfbc8fd4882bc3f (diff) | |
| parent | 0e3d9acafc4cc06f6ab8d62b2510a57e8df852d6 (diff) | |
Merge GH #785 Disable SHA-1 and weak RSA by default during cert validation
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/x509/x509path.h | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h index 396e1fead..a193ebe55 100644 --- a/src/lib/x509/x509path.h +++ b/src/lib/x509/x509path.h @@ -36,18 +36,20 @@ class BOTAN_DLL Path_Validation_Restrictions public: /** * @param require_rev if true, revocation information is required + * @param minimum_key_strength is the minimum strength (in terms of - * operations, eg 80 means 2^80) of a signature. Signatures - * weaker than this are rejected. If more than 80, SHA-1 - * signatures are also rejected. + * operations, eg 80 means 2^80) of a signature. Signatures weaker than + * this are rejected. If more than 80, SHA-1 signatures are also + * rejected. If possible use at least setting 110. + * * 80 bit strength requires 1024 bit RSA - * 110 bit strength requires 2048 bit RSA - * Using 128 requires ECC (P-256) or ~3000 bit RSA keys. + * 110 bit strength requires 2k bit RSA + * 128 bit strength requires ~3k bit RSA or P-256 * @param ocsp_all_intermediates Make OCSP requests for all CAs as * well as end entity (if OCSP enabled in path validation request) */ Path_Validation_Restrictions(bool require_rev = false, - size_t minimum_key_strength = 80, + size_t minimum_key_strength = 110, bool ocsp_all_intermediates = false); /** |