diff options
| author | Jack Lloyd <[email protected]> | 2016-12-27 16:40:02 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-12-27 16:40:02 -0500 |
| commit | 0e3d9acafc4cc06f6ab8d62b2510a57e8df852d6 (patch) | |
| tree | 2e2a60551d27f19b352a590330644944b44f7a17 /src/lib | |
| parent | 0f0b147f57fda3459143e71b4c1ff4444d27fdd3 (diff) | |
Increase Path_Validation_Restrictions default min strength to 110
Effectively disables 1024 bit RSA as well as SHA-1.
Edit the tests where required to enable it again.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/x509/x509path.h | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h index 396e1fead..a193ebe55 100644 --- a/src/lib/x509/x509path.h +++ b/src/lib/x509/x509path.h @@ -36,18 +36,20 @@ class BOTAN_DLL Path_Validation_Restrictions public: /** * @param require_rev if true, revocation information is required + * @param minimum_key_strength is the minimum strength (in terms of - * operations, eg 80 means 2^80) of a signature. Signatures - * weaker than this are rejected. If more than 80, SHA-1 - * signatures are also rejected. + * operations, eg 80 means 2^80) of a signature. Signatures weaker than + * this are rejected. If more than 80, SHA-1 signatures are also + * rejected. If possible use at least setting 110. + * * 80 bit strength requires 1024 bit RSA - * 110 bit strength requires 2048 bit RSA - * Using 128 requires ECC (P-256) or ~3000 bit RSA keys. + * 110 bit strength requires 2k bit RSA + * 128 bit strength requires ~3k bit RSA or P-256 * @param ocsp_all_intermediates Make OCSP requests for all CAs as * well as end entity (if OCSP enabled in path validation request) */ Path_Validation_Restrictions(bool require_rev = false, - size_t minimum_key_strength = 80, + size_t minimum_key_strength = 110, bool ocsp_all_intermediates = false); /** |