RFC7919 Diffie-Hellman parameters in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
tl;dr should we make it easier/automatic for users to use the Diffie-Hellman parameters defined in RFC7919?

For a long time, the general recommendation for Finite-Field Diffie-Hellman Ephemeral Parameters (FFDHE, for use with non-elliptic-curve DH, i.e. the dhparam-file many server configs ask us to specify) used in TLS was to generate your own. However, RFC7919 specifies fixed, auditable parameters with lengths of 2048-8102 bits [1], Mozilla has switched their recommendation from 'generate your own' to 'use ffdhe2048' [2] and IIRC TLSv3 mandates their use.

Main advantage in using them is a) since they're fixed & well-defined, they can be and are audited, b) clients don't have to check whether parameters they're given by a server are legit or meddled with (something that usually any client program would have to but few actually do).

So, questions:
1) do we already ship these groups somewhere, e.g. via a package that I don't know about? If not, should we maybe add one? 2) Many programs either ship their own dhparam files (on my systems at least proftpd, certbot & openssh, via the moduli file) or expect the user to point them to one (like webservers, dovecot, postfix etc.) + some for sure hardcode some defaults if the user does not specify parameters. Would it make sense to change their defaults - if possible - to use (one of the) RFC7919 groups? One could even integrate this with crypto-policies, if at some point one wants to e.g. change the desired group size.

Best,
Christopher

[1] https://tools.ietf.org/html/rfc7919
[2] https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux