For TLSv1.3, servers are no longer allowed to specify arbitrary DH groups (for finite-field or EC DH). They must use one of the named groups. So for 1.3, there's no point in generating your own groups; conforming implementations can't use them.
For finite-field DH, those are the groups specified by RFC 7919. For ECDH there's a list in the draft TLSv1.3 spec (see section 4.2.8.2), which is available at the usual places. For TLS prior to 1.3, I agree with Jakob, whose recommendations are essentially the same as the original set coming from the WeakDH researchers. Since the publication of RFC 7919, some people have been recommending using only those groups, because they're believed to be trustworthy; I don't find that a compelling argument. But it's likely that TLSv1.3 (and its successors, presumably continuing the ban on arbitrary groups) will eventually come to dominate, making the question irrelevant in practice. In short: Use "openssl dhparam" to generate a suitable group or groups, or use the group or groups of appropriate size from RFC 7919. Hard-code these in your server. Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be aware that the callback isn't invoked in a useful manner by OpenSSL. (It always asks for a 1024-bit group, unless an export cipher suite was selected, which should never happen.) In fact, now that export ciphers have gone the way of the dodo, the best thing to do is probably just set a single group of your preferred size in all your SSL_CTX structures and forget about the callback. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
