TLS certificate sizes in Geminispace

Petite Abeille petite.abeille at gmail.com
Thu Jul 9 18:09:58 BST 2020

Previous message (by thread): TLS certificate sizes in Geminispace
Next message (by thread): TLS certificate sizes in Geminispace
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


> On Jul 9, 2020, at 18:50, colecmac at protonmail.com wrote:
> 
>> What is the consensus on those self-signed ED25519 certificates? Good? Bad? Ugly?
> 
> I prefer using EC keys, which are still quite small (256 bits), but are more widely
> supported. The OpenSSL command is a bit annoying, but I made a gemlog post about it
> to make it easier.
> 
> gemini://makeworld.gq/gemlog/2020-07-06-openssl.gmi

Cool. Thanks for sharing.

> The *key* part of it is:
> -newkey ec -pkeyopt ec_paramgen_curve:prime256v1

Ok, so:

$ openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout key.pem -x509 -days 36500 -subj / -outform der | wc -c
347

347 bytes vs 282 bytes for the ED25519 variant. Not bad at all, size wise.

Is it something you are using at makeworld.gq?

$ echo | openssl s_client -connect makeworld.gq:1965 2>/dev/null | openssl x509 -outform der | wc -c
1160

At first glance I guess not:

Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200709/32d361af/attachment-0001.htm>

Previous message (by thread): TLS certificate sizes in Geminispace
Next message (by thread): TLS certificate sizes in Geminispace
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list