From 77109df8d252bd4ed929acd7afbf9a63caf83e8c Mon Sep 17 00:00:00 2001
From: Daniel Roethlisberger <daniel@roe.ch>
Date: Tue, 24 Mar 2015 20:33:38 +0100
Subject: [PATCH] Improve docs on autogenerated 1024 bit RSA leaf key

Issue:		#83
---
 main.c     | 8 ++++++++
 sslsplit.1 | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/main.c b/main.c
index 5b40b77..104152a 100644
--- a/main.c
+++ b/main.c
@@ -756,6 +756,14 @@ main(int argc, char *argv[])
 #endif /* __APPLE__ */
 	}
 	if (opts_has_ssl_spec(opts) && opts->cakey && !opts->key) {
+		/*
+		 * While browsers still generally accept it, use a leaf key
+		 * size of 1024 bit for leaf keys.  When browsers start to
+		 * sunset 1024 bit RSA in leaf keys, we will need to make this
+		 * value bigger, and/or configurable.  Until then, users who
+		 * want a different size can always use their own pre-generated
+		 * leaf key instead of generating one.
+		 */
 		opts->key = ssl_key_genrsa(1024);
 		if (!opts->key) {
 			fprintf(stderr, "%s: error generating RSA key:\n",
diff --git a/sslsplit.1 b/sslsplit.1
index 6abd772..7654cb2 100644
--- a/sslsplit.1
+++ b/sslsplit.1
@@ -177,7 +177,7 @@ If \fB-t\fP is also given, SSLsplit will only forge a certificate if there is
 no matching certificate in the provided certificate directory.
 .TP
 .B \-K \fIpemfile\fP
-Use private key from \fIpemfile\fP for certificates forged on-the-fly.
+Use private key from \fIpemfile\fP for the leaf certificates forged on-the-fly.
 If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key.
 .TP
 .B \-l \fIlogfile\fP