On Tue, 11 Nov 2014 12:42:10 +0100, Nikos Mavrogiannopoulos wrote: > On Tue, Nov 11, 2014 at 7:58 AM, Pierre Ossman <[email protected]> wrote: > > It was generated like this: > > > > if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS) > > throw AuthFailureException("gnutls_dh_params_generate2 failed"); > > A question that arises, is why do you generate those parameters > anyway? Why not ship some static parameters (via certtool > --get-dh-params). >
Unfortunately I have no idea as I did not write that code. It's probably based on one of your examples that generates them on the fly. TBH, I've never gotten a good grasp on what a good security policy is with regard to DH params. Some have pregenerated values, but I also see references that they should be regenerated every few hours/days/etc. Got any insight to share? > >> One option would be to upgrade to 3.3.x. > >> > > But that is still not considered a stable series, right? > > It is the current stable. > Oh. I got confused by the front page which states: > Released GnuTLS 3.3.10, GnuTLS 3.2.20, GnuTLS 3.1.28, which are bug-fix > releases on the next, current and previous stable branches respectively. I.e. 3.3.10 is being called "next", which suggests to me that it wasn't stable yet. But I see now that the download page lists 3.3.x as stable. Rgds -- Pierre Ossman Software Development Cendio AB https://cendio.com Teknikringen 8 https://twitter.com/ThinLinc 583 30 Linköping https://facebook.com/ThinLinc Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
signature.asc
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
