Curves with less than 256 bits (i.e., SECP192R1 and SECP224R1) are
not widely supported.
}
bits = info_bits;
} else {
- if (info_sec_param) {
- bits =
- gnutls_sec_param_to_pk_bits(key_type,
- str_to_sec_param
- (info_sec_param));
- } else
- bits =
- gnutls_sec_param_to_pk_bits(key_type,
- GNUTLS_SEC_PARAM_MEDIUM);
+ if (info_sec_param == 0) {
+ /* For ECDSA keys use 256 bits or better, as they are widely supported */
+ if (key_type == GNUTLS_PK_EC)
+ info_sec_param = "HIGH";
+ else
+ info_sec_param = "MEDIUM";
+ }
+ bits =
+ gnutls_sec_param_to_pk_bits(key_type,
+ str_to_sec_param
+ (info_sec_param));
}
return bits;
fprintf(stderr, "Generating a %d bit %s private key...\n",
bits, gnutls_pk_algorithm_get_name(key_type));
+ if (bits < 256 && key_type == GNUTLS_PK_EC)
+ fprintf(stderr,
+ "Note that ECDSA keys with size less than 256 are not widely supported.\n\n");
+
if (bits > 1024 && key_type == GNUTLS_PK_DSA)
fprintf(stderr,
"Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");