> On May 31, 2018, at 12:37 PM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote: > > I would not say that weak DH parameters are fully rejected by OpenSSL. > The 1024 bit DH parameters could be in theory attacked by state > agencies by precomputation of the discrete logarithm table. That's speculative. If the idea is to prefer kECDHE over kDHE, OpenSSL already does that. In practice ECDHE is negotiated when available. The issue at hand is whether kDHE is worse than kRSA. Which is more likely later key compromise or a brute force attack on 1024-bit DHE likely costing 10's to 100's of millions of dollars per key... > And openssl > still accepts 1024 bit DH by default if I am not mistaken. Yes, but unless you're another nation-state with secrets worth attacking at all costs, it seems rather unlikely that this is a concern. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
