> On Dec 6, 2017, at 8:51 AM, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote: > > > Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be aware that the callback isn't invoked in a useful manner by OpenSSL. (It always asks for a 1024-bit group, unless an export cipher suite was selected, which should never happen.) This is misleading. The callback does not really ask for a 1024-bit group, rather it passes one of two key-size hints "512" for export ciphers and 1024 for non-export ciphers. Therefore, one can return any reasonable group size instead of 1024 bits. See for example: https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L227 where the "1024-bit" group returned by the tmp_dh callback is a 2048-bit group. The text at: http://www.postfix.org/FORWARD_SECRECY_README.html#dfn_fs http://www.postfix.org/FORWARD_SECRECY_README.html#tls_fs may be helpful to some users not familiar with forward secrecy in TLS. > In fact, now that export ciphers have gone the way of the dodo, the best thing to do is probably just set a single group of your preferred size in all your SSL_CTX structures and forget about the callback. Sure, provided one is sure that this will not lead to (DH) private key re-use. In sufficiently recent OpenSSL releases single DH use is the default and IIRC cannot be disabled. But older releases may more reliably avoid DH key re-use when the group is provided via the tmp_dh callback. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users