On 22/05/2015 03:57, Jeffrey Walton wrote: >> As an additional change for 1.0.2c or later (no need to >> delay the urgent fix), maybe adjust internal operations >> to discourage use of hardcoded DH groups for TLS DH (but >> NOT for generic DH-like operations such as openssl-based >> implementations of SRP). > That's going to be tough because standards groups like the TLS WG are > actively promoting fully specified, named parameters and curves. > > See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral > Parameters for TLS", > https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and > the discussion of magic primes at "Re: [TLS] Another IRINA bug in > TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html. > (The thread is due to the recent attacks on DH). The latter thread contains posts from respected experts asking not to use fixed parameters for DH, and a lot of noise from experts promoting their pet algorithms, such as ECDH (off topic for DH issues), specific ideas of which groups are the safest (most promoting the "(p-1)/2 also prime" variant, none acknowledging the DSA-like X9.42 variant), or just asking if LogJam is at all real. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
