The current hardcoded EDH parameter fallback use the old SKIP primes, for which the source disappeared from the web a long time ago. Referencing a known dead source seems a bit silly, so I think we should either switch to a non-dead source of MODP primes or use an archive.org link for SKIP. Personally I prefer the former.
This was touched upon, but never really discussed AFAICT, back when then EDH parameters were reworked a few years ago. Instead of replacing with custom ones, as suggested in [1] it we might as well replace with standardized ones as this is a fallback. Custom ones wont make it more secure, just add more work for the project. The attached patch replace the SKIP prime with the 2048 bit MODP group from RFC 3526, which is the same change that OpenSSL did a few years back [2]. cheers ./daniel [1] https://www.postgresql.org/message-id/54f44984-2f09-8744-927f-140a90c379dc%40ohmu.fi [2] https://github.com/openssl/openssl/commit/fb015ca6f05e09b11a3932f89d25bae697c8af1e
skip_primes.patch
Description: Binary data
