[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-crypto
Subject:    Re: What is the maximum supported for the modulus in the current
From:       Wan-Teh Chang <wtchang () redhat ! com>
Date:       2005-12-05 19:31:17
Message-ID: 43949585.7070406 () redhat ! com
[Download RAW message or body]

adulau wrote:
> Hi Guys,
> 
> I was wondering what is the maximum modulus size supported for RSA or
> DSA keys in NSS ? For example, we experienced various errors from
> Thunderbird client (1.0.6,1.0.7 and various other versions) when trying
> to connect in TLS to an ESMTP server with CA keys with 2048 bits
> modulus. The error is the following : "could not establish an encrypted
> connection because certificate presented by <IP> is invalid or
> corrupted Error Code -8182". With random keys with a smaller modulus,
> it seems to be ok.

The maximum modulus size supported for DSA keys is
1024 bit in all NSS releases because that's the maximum
modulus size specified in the Digital Signature Standard
(FIPS 186-2).

The maximum modulus size supported for RSA keys is
8192 bit in NSS 3.9 or later.  All existing Thunderbird
releases use NSS 3.9.3 or later.
(http://www.mozilla.org/projects/security/pki/nss/mozilla-nss-versions.html)

Error code -8182 is SEC_ERROR_BAD_SIGNATURE,
"Peer's certificate has an invalid signature."
(See the NSS error code table at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html.)

Does the ESMTP server have DSA or RSA keys?  NSS should
work with 2048 bit RSA modulus, which is not that uncommon.

Wan-Teh

_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
[prev in list] [next in list] [prev in thread] [next in thread]