On Fri, Aug 19, 2016 at 12:29:23PM +0000, Peter Gutmann wrote: > Bodo Moeller <bmoel...@acm.org> writes: > > >Peter, so your complaint is about the lack of support for explicitly > >specified (non-"named") groups? > > It's the lack of support for DHE unless it's the exact parameters the server > wants. At the moment if your implementation wants to use DHE (which pretty > much all of them do) you have two options: > > 1. Ignore RFC 7919 and perform DHE with several billion devices worldwide. > > 2. Implement RFC 7919 and, unless both client and server happen to choose an > appropriate FFDHE parameter set that both sides can agree on, be forced to > fall back to the old, unsafe RSA key exchange.
AFAIK, that failure can only happen if at least one of: - The server is buggy. - All client-supported FFDHE groups are distrusted or not implemented on server (Yes, plural). - All client-supported FFDHE groups are outside server key size range (in which case you probably wouldn't want to try to do DHE with that client anyway). Because otherwise there is always a group choice that works. (I would say that 256+257+258 [2k, 3k and 4k] is reasonable set to implement, 259 and 260 [6k and 8k] are too large). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
