Forum

When I create a 8192 bits server certificate (PEM file) with OpenSSL, Hiawatha won't start and quits instead with error message:

Error loading RSA private key (-0x4200): RSA - Key failed to pass the libraries validity check

Is this a limitation of PolarSSL, Hiawatha, or both?

Hiawatha version: 9.5
Operating System: Debian Wheezy 64

(Please no discussion about 8192 bits being mad or paranoid.)

In polarssl/include/polarssl/bignum.h is a setting called POLARSSL_MPI_MAX_SIZE. Its default value is 512. Set it to 1024 for 8k RSA keys.

No word about being paranoid from me, because Snowden taught us that you should be. But realize that 8k keys require a lot more computing power than 2k and 4k keys.

Geil, thanks.

In src/serverconfig.c around line 819, else .. if must be added for 8192 (and 16384 and so on) bits, otherwise server won't start if dhsize>4096 in config file.

Then in src/ssl.c, around line 355, the largest DH key that is send to PolarSSL is 4096 bits (via dhm_4096_P). Is this a static DH key, or just a start to calculate more DH keys during a SSL session?

4096 bits DH is already very heavy. Why do you want bigger DH?

The dhm_4096_P is a static P value for DH. The actual keys are of course random for each session.

It seems that using a 4096 bits DH key only uses the same size of a 8192 bits certificate for SSL encryption. (The old Opera/Presto engine browser shows the length of the certificate used for the transmission.)

The DH key size is not related to the key size of the X.509 certificate. Using 4096 bits DH keys is more than secure enough today.