httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: yet another mod_ssl temp DH handling tweak
Date Thu, 26 Jun 2014 16:23:46 GMT
On Sat, Jun 21, 2014 at 09:24:05AM +0200, Kaspar Brand wrote:
> On 19.06.2014 23:17, Joe Orton wrote:
> > I was reminded that there was a request to use the larger key sizes as 
> > well.
> 
> Using ephemeral DH keys with sizes > 4096 bits in TLS seems way overkill
> for the next decade or so (3072 bits are already considered to have a
> 128-bit symmetric-key strength), but if it makes people happy to use
> unreasonably large keys, then so be it... the docs for
> SSLCertificateFile should also be updated in this case.

Thanks to you & RĂ¼diger for review!  r1605827 & r1605829

> > +/* Storage and initialization for DH parameters. */
> > +static struct dhparam {
> > +    BIGNUM *(*const prime)(BIGNUM *); /* function to generate... */
> > +    DH *dh;                           /* ...this, used for keys.... */
> > +    const unsigned int min;           /* ...of length >= this. */
> > +} dhparams[] = {
> > +    { get_rfc3526_prime_8192, NULL, 6145 },
> > +    { get_rfc3526_prime_6144, NULL, 4097 },
> > +    { get_rfc3526_prime_4096, NULL, 3073 },
> > +    { get_rfc3526_prime_3072, NULL, 2049 },
> > +    { get_rfc3526_prime_2048, NULL, 1025 },
> > +    { get_rfc2409_prime_1024, NULL, 0 }
> > +};
> 
> Perhaps the "min" values could increased somewhat -
> 7168/5120/3584/2560/1536 (i.e. "half way" between two steps)?

I've a mild preference for keeping to the 1K multiples, since half way 
is kind of arbitrary... if you or anybody else feels strongly about this 
I'm happy to adjust.

Regards, Joe

Mime
View raw message