[stunnel-users] stunnel 5.51 released

• Previous message (by thread): [stunnel-users] stunnel 5.51 released
• Next message (by thread): [stunnel-users] V5.51 no support for OpenSSL 1.0.2 ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/10/19 1:38 PM, Jakob Hirsch wrote:
> i.e., everything that contains only hex characters ([0-9a-f]+) will be
> considered a a hex key? I really like that, but that's a breaking change
> for people using a key that consists of hex chars (and don't keep
> client/server version in sync).
For a random alphanumeric key the probability of being hex is at most:

((10+6+6)/(10+26+26))^20 ≈ 10^(-9)

It's a little worse for uppercase-only or lowercase-only alphanumeric keys:

((10+6)/(10+26))^20 ≈ 10^(-7)

We are still safe enough I suppose...

Using a key that was already a valid hexadecimal number and two
different versions of stunnel would indeed cause a problem.  The
solution is to also update the older stunnel...

> This may sound stupid, as you vastly
> limit your key space, but mitigated by simply doubling your key size.
> Maybe not many people are using such keys (or PSK in general), though...

There is no difference in key size, as the effective key size is the
number of entropy bits, and not the number characters.  The number of
entropy bits in 32 hexadecimal digits, and the number of entropy bits in
16 bytes is actually identical (32*4 = 16*8).

> The good news is, that PSK connections now also work with TLSv1.3, so: Yay!

Thank you.

Best regards,
    Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190410/a1b2b7fc/attachment.html>

• Previous message (by thread): [stunnel-users] stunnel 5.51 released
• Next message (by thread): [stunnel-users] V5.51 no support for OpenSSL 1.0.2 ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]