httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Issac Goldstand <mar...@beamartyr.net>
Subject Re: Misleading faq: 2048 bit server certificate
Date Mon, 20 Sep 2010 11:15:15 GMT
 On 9/20/2010 12:57 PM, Bhuvaneswaran A wrote:
> Ref: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#keysize
>
> In Apache 2.2.11, as far as I tested, the use of 2048 bit server
> certificate is supported.
> [bhuvan@cu062 CERTS]$ openssl rsa -noout -text -in server2048.key|grep key -i
> Private-Key: (2048 bit)
>
> However the following FAQ item is misleading.
> -------------------------------------------------------------
> Why does my 2048-bit private key not work?
>
> The private key sizes for SSL must be either 512 or 1024 bits, for
> compatibility with certain web browsers. A keysize of 1024 bits is
> recommended because keys larger than 1024 bits are incompatible with
> some versions of Netscape Navigator and Microsoft Internet Explorer,
> and with other browsers that use RSA's BSAFE cryptography toolkit.
> -------------------------------------------------------------
>
> Either the FAQ item should be removed, or fixed as follows:
> -------------------------------------------------------------
> May I use 2048-bit private key?
>
> Yes, you can use 2048-bit private key. However, the keysize of 1024
> bits is recommended. because keys larger than 1024 bits are
> incompatible with some versions of Netscape Navigator and Microsoft
> Internet Explorer, and with other browsers that use RSA's BSAFE
> cryptography toolkit.
> -------------------------------------------------------------
>
+1

Bear in mind that many TTPs are no longer issuing signed certs with less
than a 2048 bit modulus.

  Issac

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message