On Fri, May 22, 2015 at 12:51 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote: > On 22/05/2015 03:57, Jeffrey Walton wrote: >>> >>> As an additional change for 1.0.2c or later (no need to >>> delay the urgent fix), maybe adjust internal operations >>> to discourage use of hardcoded DH groups for TLS DH (but >>> NOT for generic DH-like operations such as openssl-based >>> implementations of SRP). >> >> That's going to be tough because standards groups like the TLS WG are >> actively promoting fully specified, named parameters and curves. >> >> See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral >> Parameters for TLS", >> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and >> the discussion of magic primes at "Re: [TLS] Another IRINA bug in >> TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html. >> (The thread is due to the recent attacks on DH). > > The latter thread contains posts from respected experts > asking not to use fixed parameters for DH... Well, I'm not sure how much more respected one can get than Daniel Kahn Gillmore, Stephen Farrell, Eric Recorla; or have better credentials than practicing cryptographers. How high is your bar :)
