On 1/4/22 12:59, Daniel P. Berrangé wrote: > We shouldn't be introducing use of gnutls_sec_param_to_pk_bits at > all IMHO, rather we should be removing use of gnutls_dh_params_generate2 > instead. > > The recommendation is to use pre-generated DH parameters from the > the FFDHE set of RFC7919. > > In gnutls >= 3.6.0 this happens automatically. > > In gnutls >= 3.5.6 && < 3.6.0 we can replace thegnutls_dh_params_generate2 + > gnutls_certificate_set_dh_params pair of calls, with just > gnutls_certificate_set_known_dh_params() Fair enough, I don't know enough about gnutls, but let me see if I can cook a patch. Michal
