On Fri, Jul 14, 2023 at 04:03:25PM +0000, Peter Gutmann wrote:
> Interesting, so you're saying that essentially no-one uses custom groups? My
> code currently fast-tracks the known groups (RFC 3526 and RFC 7919) but also
> allows custom groups (with additional checking) to be on the safe side because
> you never know what weirdness is out there, do you have an idea of what sort
> of magnitude "hardly any" represents?
The "almost no one" is likely technology-sector specific. Postfix prior
to 3.7 (released Q1 2022) or linked with OpenSSL 1.1.1 (rather than 3.0)
uses a compiled-in 2048-bit safe-prime DH group by default, or a locally
generated group if configured.
With Postfix 3.7 or later linked with OpenSSL 3.0 or later, the group
selection defaults to the the OpenSSL "auto" list, which is based on
the security bits of the server certificate or cipher with anonDH:
if (dh_secbits >= 192)
p = BN_get_rfc3526_prime_8192(NULL);
else if (dh_secbits >= 152)
p = BN_get_rfc3526_prime_4096(NULL);
else if (dh_secbits >= 128)
p = BN_get_rfc3526_prime_3072(NULL);
else if (dh_secbits >= 112)
p = BN_get_rfc3526_prime_2048(NULL);
else
p = BN_get_rfc2409_prime_1024(NULL);
The most common result will be the rfc3526 2048-bit group. It is not
clear that these are actually better, but they are perhaps more likely
interoperable for being widely-used 'standard' groups.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
