Improve docs on autogenerated 1024 bit RSA leaf key

Issue: #83
9 years ago · 77109df8d2
parent 6e53e93d0f
commit 77109df8d2
2 changed files with 9 additions and 1 deletions
--- a/main.c
+++ b/main.c
@ -756,6 +756,14 @@ main(int argc, char *argv[])
 #endif /* __APPLE__ */
 	}
 	if (opts_has_ssl_spec(opts) && opts->cakey && !opts->key) {
+		/*
+		 * While browsers still generally accept it, use a leaf key
+		 * size of 1024 bit for leaf keys.  When browsers start to
+		 * sunset 1024 bit RSA in leaf keys, we will need to make this
+		 * value bigger, and/or configurable.  Until then, users who
+		 * want a different size can always use their own pre-generated
+		 * leaf key instead of generating one.
+		 */
 		opts->key = ssl_key_genrsa(1024);
 		if (!opts->key) {
 			fprintf(stderr, "%s: error generating RSA key:\n",
--- a/sslsplit.1
+++ b/sslsplit.1
@ -177,7 +177,7 @@ If \fB-t\fP is also given, SSLsplit will only forge a certificate if there is
 no matching certificate in the provided certificate directory.
 .TP
 .B \-K \fIpemfile\fP
-Use private key from \fIpemfile\fP for certificates forged on-the-fly.
+Use private key from \fIpemfile\fP for the leaf certificates forged on-the-fly.
 If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key.
 .TP
 .B \-l \fIlogfile\fP