Hi all, I am working on an application that would use DH to allow exchanging symmetric keys (not a TLS app), and we noticed that we could use two different approaches to generate the parameters. The first option is to use the DH_generate_parameters_ex() + DH_generate_key() - but that takes quite a long time when using 2048 bits DH. The second option, instead, is to generate DSA parameters and then copy them as DH params - i.e., using DSA_generate_parameters_ex() + DSA_dup_DH() + DH_generate_key(). Of course, the second approach is a lot faster - however, can anyone explain the warning not from the documentation "Be careful to avoid small subgroup attacks when using this." ? AFAIK, for such attacks to be effective, they require that the parameters are re-used multiple times. However, in our specific case, the generated parameters will be used only once (2048 bits) and then discarded... Cheers, Max
