For TLSv1.3, servers are no longer allowed to specify arbitrary DH groups (for 
finite-field or EC DH). They must use one of the named groups. So for 1.3, 
there's no point in generating your own groups; conforming implementations 
can't use them.

For finite-field DH, those are the groups specified by RFC 7919. For ECDH 
there's a list in the draft TLSv1.3 spec (see section 4.2.8.2), which is 
available at the usual places.

For TLS prior to 1.3, I agree with Jakob, whose recommendations are essentially 
the same as the original set coming from the WeakDH researchers. Since the 
publication of RFC 7919, some people have been recommending using only those 
groups, because they're believed to be trustworthy; I don't find that a 
compelling argument. But it's likely that TLSv1.3 (and its successors, 
presumably continuing the ban on arbitrary groups) will eventually come to 
dominate, making the question irrelevant in practice.

In short: Use "openssl dhparam" to generate a suitable group or groups, or use 
the group or groups of appropriate size from RFC 7919. Hard-code these in your 
server.

Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be aware 
that the callback isn't invoked in a useful manner by OpenSSL. (It always asks 
for a 1024-bit group, unless an export cipher suite was selected, which should 
never happen.) In fact, now that export ciphers have gone the way of the dodo, 
the best thing to do is probably just set a single group of your preferred size 
in all your SSL_CTX structures and forget about the callback.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to