On Wed, Jul 4, 2018 at 8:15 AM, David Benjamin <david...@chromium.org> wrote: > > Indeed. The bad feedback was not even at a 2048-bit minimum, but a mere > 1024-bit minimum. (Chrome enabled far more DHE ciphers than others, so we > encountered a lot of this.) 2048-bit was completely hopeless. At the time > of removal, 95% of DHE negotiations made by Chrome used a 1024-bit minimum. > See here for details: > https://groups.google.com/a/chromium.org/d/msg/blink-dev/ > ShRaCsYx4lk/46rD81AsBwAJ >
>From the server side: we found that enforcing a 2048-bit size was unworkable, it breaks clients that will negotiate DHE but then fail when the exchange happens, including versions of Java. Because the breakage happens post-handshake, there was little recourse to fix it. We did look at fingerprinting the clients and trying to use a different size for those, but even that led to too high an error rate. So we removed DHE in general and use ECDHE for FS. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
