> As an additional change for 1.0.2c or later (no need to > delay the urgent fix), maybe adjust internal operations > to discourage use of hardcoded DH groups for TLS DH (but > NOT for generic DH-like operations such as openssl-based > implementations of SRP). That's going to be tough because standards groups like the TLS WG are actively promoting fully specified, named parameters and curves. See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS", https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and the discussion of magic primes at "Re: [TLS] Another IRINA bug in TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html. (The thread is due to the recent attacks on DH). Jeff
