[stunnel-users] key+cert+dh risks

Jean-Yves F. Barbier 12ukwn at gmail.com
Sun Feb 13 22:45:06 CET 2011


On Sun, 13 Feb 2011 22:21:10 +0100, Ludolf Holzheid
<lholzheid at bihl-wiedemann.de> wrote:



> On Sat, 2011-02-12 14:32:19 +0100, Jean-Yves F. Barbier wrote:
> > [..]
> > 
> > Hmmm, so it looks like may the entropy may be higher with 2 different keys.
> 
> Yes, but if this was more than a hypothetical problem, there would be
> a counter for uses of the key and a recommendation to use a new key
> after a certain number of uses.

For my own security, keys are rotated on a monthly basis.

> Think of how many times the web
> banking servers use their key ...

I totally agree with this.
 
> Don't be too concerned about that.

Yes, I am, because it is not the bank interests I protect, but mine!

The advantage of this question is it forced me to read more about openssl,
and now I think I'm gonna do it by the rules: separating every parts into
different files because the exercice is interesting and also because I'll soon
need to configurate a larger network of clients.

However, openssl lacks *real long term* security features (why signing into
sha1 instead of sha384 or sha512 when it is quite surely already broken by gov
Sces?), and is also somehow suspect (remember the 1 line bug that have lasted
for a looong time? After disclosure it was fixed but not a word from
the team about it and not a line in the changelog too......)

What I also wouldn't like is somebody record the whole connexion and decode it
several years after, once the computer farms power is high enough.

-- 
The right to revolt has sources deep in our history.
		-- Supreme Court Justice William O. Douglas



More information about the stunnel-users mailing list