Hubert, I’m aware of at least one company (using the term loosely) that uses custom group, and probably understands FFDH(E) better than you or me. Since they had their reasons for choosing custom, “can change … to use well-known groups” (obviously) does not apply.
Regards, Uri > On Jul 14, 2023, at 12:33, Hubert Kario <hka...@redhat.com> wrote: > > !-------------------------------------------------------------------| > This Message Is From an External Sender > This message came from outside the Laboratory. > |-------------------------------------------------------------------! > >> On Friday, 14 July 2023 18:03:25 CEST, Peter Gutmann wrote: >> Hubert Kario <hka...@redhat.com> writes: >> >>> FIPS requires to support only well known groups (all of them 2048 bit or >>> larger), and we've received hardly any customer issues after implementing >>> that as hard check (connection will fail if the key exchange uses custom DH >>> parameters) good few years ago now. >> >> Interesting, so you're saying that essentially no-one uses custom groups? My >> code currently fast-tracks the known groups (RFC 3526 and RFC 7919) but also >> allows custom groups (with additional checking) to be on the safe side >> because >> you never know what weirdness is out there, do you have an idea of what sort >> of magnitude "hardly any" represents? > > I wouldn't go as far as "nobody uses them", it's more like "people that use > them, either have them configured unknowingly or can change configuration > to use well known groups". So while it may cause interoperability issues, > for people that really do care about interoperability with old systems, > they are fine with tweaking DH configuration to make it happen (or simply > end up using ECDHE and are completely unaware of the whole issue). > > One more side note: in FIPS mode we also disable RSA ciphersuites, so the > FFDHE and ECDHE, both with only well known groups, are the only two key > exchanges that do work. > >> And can something similar be said about SSH implementations? There's fixed >> DH >> groups and then the Swiss-army-knife diffie-hellman-group-exchange-*, but >> AFAIK the only groups that ever get exchanged there are the RFC 3526/7919 >> ones. > > nope, for OpenSSH those will be the safe-primes from /etc/ssh/moduli, though > in FIPS mode we do ignore that file and indeed use RFC 3526 or 7919 groups > of at least 2048 bits (don't remember what we default to, but we will accept > either) > -- > Regards, > Hubert Kario > Principal Quality Engineer, RHEL Crypto team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
