>It is not at this point emphasized anywhere, including on weakdh.org, that it >is actually of high importance to regenerate your DH parameters frequently.
That's not really correct. If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else). It is computationally intensive to generate such large primes, p (and corresponding base parameter, g). You need to ensure that p is actually prime (the costly step [1]) and that g is primitive. Which is why most implementations have used shorter (<= 1024 bit) primes. Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security. So the best setting is to set ssl_dh_parameters_length as large as feasible ([2] recommends 2048 bits), and NOT to regenerate. [1] http://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test [2] https://weakdh.org/sysadmin.html
signature.asc
Description: Message signed with OpenPGP using GPGMail
