From owner-freebsd-stable Fri Apr 7 16:16:17 2000 Delivered-To: freebsd-stable@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id BFC9C37B898; Fri, 7 Apr 2000 16:16:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id QAA07530; Fri, 7 Apr 2000 16:16:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 7 Apr 2000 16:16:13 -0700 (PDT) From: Kris Kennaway To: Mikhail Teterin Cc: stable@FreeBSD.org Subject: Re: openssl broken in 4.0? In-Reply-To: <200004072156.RAA01154@mail.virtual-estates.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 7 Apr 2000, Mikhail Teterin wrote: > > Is the other end trying to use a >1024 bit key? RSAREF can't handle > > those. > > It is quite possible, actually... Is there an easy way to find out? Why > did this limitation suddenly appear? Will it go away? Thanks! The openssl(1) command can parse the keys and show you how big they are. OpenSSL doesn't report a specific error condition for "key too big" in the RSAREF + large key case, so there's currently no automatic way for an application to detect it. I fixed OpenSSH to display an error message when it encounters this condition by explicitly checking the key size if an RSA operation fails and openssl is using RSAREF, but the library itself won't currently complain. Actually I should go back and see if there's a way I can make it do so. RSAREF has always had this limitation on keysize - in fact it would be easy to remove the limitation, but according to the license terms you're not allowed to make functional changes to the code. If this is actually the cause of your problem, and you didnt see it before I can only assume your openssl port wasn't compiled with USA_RESIDENT=yes and was thus using the native RSA implementation. This won't be an issue any longer after 9/20/2000 when the RSA patent expires and we can put back the native openssl RSA encryption for US folks. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message