wolfSSL - Embedded SSL Library — Question on Key Size.

Re: Question on Key Size.

null@example.com (Scotty2541) — Fri, 18 Apr 2025 12:33:04 +0000

Andy,
I'll continue to post here since this isn't confidential material, and it will help others who are searching.
Also it's not a priority question.

So,

This affects, both keys that are generated and loaded

I'm asking only from the point of view of certificates that customers already have saved on a device.

So this means it would reject a cert that is created with a small key? And fail a handshake?

Also, reject a cert that is loaded locally (as a server loads from storage) and/or sent to a client during a TLS handshake?

And I see it can also be updated with

wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits);

So if not already setting a size, this would be added updating to 5-7-4.

This RAS-512 = 1024 is a bit confusing... Is that explained in an RFC somewhere?

Lastly what is the ECC (elliptic) key size for? It's not a certificate key. Where is it used?

wolfSSL_CTX_SetMinEccKey_Sz(...)

I assume this is not certificate based, so updating to the next version having this restriction would not affect customer certificates already on the device?

Thanks.

Re: Question on Key Size.

null@example.com (anthony) — Thu, 17 Apr 2025 16:53:35 +0000

Hi Scott,

That happened in the following pull request: https://github.com/wolfSSL/wolfssl/pull/7923 and that made it into wolfSSL Release 5.7.4 (Oct 24, 2024). Note that the previous value was 1024 which would allow RSA-512 keys. Now that it is set to 2048 is will no longer allow RSA-512 but will allow RSA-1024. I understand if this is somewhat confusing. Sorry about that.

This affects, both keys that are generated and loaded. Note that you can override this default by defining RSA_MIN_SIZE yourself.

If you have further questions, please do send to support@wolfssl.com as I can see you are a commercial customer of wolfSSL.

Warm regards, Anthony

Question on Key Size.

null@example.com (Scotty2541) — Thu, 17 Apr 2025 12:51:54 +0000

Hello.

This article
https://www.wolfssl.com/strengthening-r … 2048-bits/
Says the new min is 2048...

And it applies to wc_MakeRsaKey()

Question:

Which version did that happen?

-and-

Is that part of the handshake, and even if the user has supplied a cert/key that is 1024, it will create the asymmetrical key of 2048?
-or-
Is this only for creating NEW cert/keys?
-or-
does this mean it will fail to load a certificate that was made with a 1024 bit key pair?

I ask because there are existing customers supplying certs that are 1024. So a firmware update which contains the newer version would (or would not) break any stored key they have currently loaded into the device?