We’ll be releasing a security-focused release of go-libp2p-core, v0.2.0, that brings some of libp2p’s cryptographic practices up to industry standards. While these changes don’t break existing APIs, they do incur breakage through the following changes:
- libp2p will return an error when a user attempts to generate RSA keys of less than 2048 bits. We recommend switching tests to use go-libp2p-testing’s latest release, which defaults to Ed25519. If, for some reason, you must use RSA keys of less than 2048 bits in a test, you may set the environment variable
LIBP2P_ALLOW_WEAK_RSA_KEYSto any non-empty value (e.g. “on”), which will lower the minimum requirement to 512 bits (landing in v0.2.0). - libp2p no longer supports the Blowfish cipher (landing in a follow-up release).
Additional changes that have landed recently include:
- v0.0.7 which switches all key comparisons to use constant-time comparisons.
- v0.0.8 which returns an error rather than panicking when an unknown curve type is passed to our elliptic curve key generating functions.
-
v0.1.0 which introduces a new implementation of the
insecuretransport (FOR TESTING USE ONLY) which conforms to the recently published specification for plaintext key exchange.