On 22/05/2015 03:57, Jeffrey Walton wrote:
As an additional change for 1.0.2c or later (no need to
delay the urgent fix), maybe adjust internal operations
to discourage use of hardcoded DH groups for TLS DH (but
NOT for generic DH-like operations such as openssl-based
implementations of SRP).
That's going to be tough because standards groups like the TLS WG are
actively promoting fully specified, named parameters and curves.
See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral
Parameters for TLS",
https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and
the discussion of magic primes at "Re: [TLS] Another IRINA bug in
TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html.
(The thread is due to the recent attacks on DH).
The latter thread contains posts from respected experts
asking not to use fixed parameters for DH, and a lot of
noise from experts promoting their pet algorithms, such
as ECDH (off topic for DH issues), specific ideas of
which groups are the safest (most promoting the
"(p-1)/2 also prime" variant, none acknowledging the
DSA-like X9.42 variant), or just asking if LogJam is at
all real.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
