Warn when generating DSA keys of size more than 1024.

2 files changed, 7 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index aaf4226f16..4c4a6a9d77 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@ See the end for copying conditions.
 ** libgnutls: Correctly deinitialize crypto API functions to prevent
 a memory leak. Reported by Mads Kiilerich.
 
+certtool: If asked to generate DSA keys of size more than 1024 bits,
+issue a warning, that the output key might not be working everywhere.
+
 certtool: The --pkcs-cipher is taken into account when generating a
 private key. The default cipher used now is aes-128. The old behavior can
 be simulated by specifying "--pkcs-cipher 3des-pkcs12".
diff --git a/src/certtool.c b/src/certtool.c
index da81902de0..4ffc721273 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -172,9 +172,10 @@ generate_private_key_int (void)
   if (info.dsa)
     {
       key_type = GNUTLS_PK_DSA;
-      /* FIXME: Remove me once we depend on 1.3.x */
-      if (info.bits > 1024 && gcry_check_version ("1.3.1") == NULL)
-	info.bits = 1024;
+      if (info.bits > 1024)
+        {
+          fprintf(stderr, "It is suggested for compatibility with other implementations to use DSA keys bit length 1024\n");
+        }
     }
   else
     key_type = GNUTLS_PK_RSA;