On Mon, 2014-11-10 at 11:48 -1000, Daniel Kahn Gillmor wrote: > Hi Pierre--
> > After some debugging it turns out that the failing criteria is that > > multiple of 64 bits requirement[1]. For some reason I've gotten a 1023 > > bit prime, even though I called gnutls_dh_params_generate2() with 1024 > > as the argument. > ugh. Java is at fault here -- there's no sense in this particular > severe limitation. if they're willing to use 512-bit DHE parameters and > 1024-bit DHE parameters, they should be willing to use 1023-bit DHE > parameters. That's indeed quite some arbitrary limitation. > That said, i suppose it's possible that gnutls could always ensure that > the high bit is set when generating a prime of a given size. That should be the case in gnutls 3.3.x. That version delegates to nettle the DH parameter generation and nettle seems to be more precise. > > This is with GnuTLS 3.2.15 and nettle 2.7.1 on Windows. > > Who's to blame here? GnuTLS? Java? Us? Everybody? :) > > And what do I do about it? Keep calling gnutls_dh_params_generate2() > > until I get what I need? One option would be to upgrade to 3.3.x. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
