> On Dec 6, 2017, at 8:51 AM, Michael Wojcik <michael.woj...@microfocus.com> 
> wrote:
> 
> 
> Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be 
> aware that the callback isn't invoked in a useful manner by OpenSSL. (It 
> always asks for a 1024-bit group, unless an export cipher suite was selected, 
> which should never happen.)

This is misleading.  The callback does not really ask for a 1024-bit group,
rather it passes one of two key-size hints "512" for export ciphers and 1024
for non-export ciphers.  Therefore, one can return any reasonable group size
instead of 1024 bits.  See for example:

   
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L227

where the "1024-bit" group returned by the tmp_dh callback is a 2048-bit group.

The text at:

   http://www.postfix.org/FORWARD_SECRECY_README.html#dfn_fs
   http://www.postfix.org/FORWARD_SECRECY_README.html#tls_fs

may be helpful to some users not familiar with forward secrecy in TLS.


> In fact, now that export ciphers have gone the way of the dodo, the best 
> thing to do is probably just set a single group of your preferred size in all 
> your SSL_CTX structures and forget about the callback.

Sure, provided one is sure that this will not lead to (DH) private key re-use.
In sufficiently recent OpenSSL releases single DH use is the default and IIRC
cannot be disabled.  But older releases may more reliably avoid DH key re-use
when the group is provided via the tmp_dh callback.

-- 
        Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to