Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Oct 2015 10:22:40 -0600
From: Kurt Seifried <>
To: oss-security <>
Subject: Re: Prime example of a can of worms

So some new questions arise:

1) in openssl does the -2/-5 option matter with respect to security? I read
and some other things and I have no idea if there is a real impact on
security. I bet the other tools have similar switches for which very few
people seem to understand what they actually do, and if they actually
impact security meaningfully.

2) Openssl/gnutls (and likely others) all apparently have slight variations
on how they generate/test primes. E.g.
this worries me, diversity is good, but if not implemented correctly. Do
any best practices actually exist?

3) in testing for primeness how sure are we? Reading and so on
these tests are all "probably prime" but I can't find any data to show that
e.g. given this set of large primes, tested against the various traditional
primality methods, and then brute forced to confirm they are prime/not
prime, what % failed?

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ