[krbdev.mit.edu #7602] allow dh_min_bits >= 1024
Tom Yu via RT
rt-comment at krbdev.mit.edu
Fri Apr 5 21:10:54 EDT 2013
Windows 7 clients apparently offer the 1024-bit Oakley MODP group, and
might have some trouble with Diffie-Hellman parameter counterproposals
by the KDC. Allowing dh_min_bits to be 1024 (but not by default)
should allow these clients to do PKINIT successfully (if combined with
the "missing q parameter" interop workaround). Arguably, 1024 bits is
too weak for modern usage, but SP800-57 says it's equivalent to 80
bits of security, and we still allow administrators to configure
single-DES, which is weaker.
We should still investigate the underlying interop problem, though.
More information about the krb5-bugs
mailing list