Hi Willy,
> Thank you, that was pretty clear and easy. I checked that I was running > with about 2 kb of entropy before the tests and that I was alone on the > machine, so I'm confident that what I did wasn't skewed. > > I pushed this into 1.6. I'd rather issue -dev2 with it, wait a little bit > then backport it into 1.5 if we don't get any negative feedback. We might > have to help distro maintainers prepare some arguments to backport this. For the record I checked out current nginx [1] and apache [2] sources and they don't seem to care about this at all. Nginx has a static 1024bit group in the source (nothing else) and Apache gets 2048bit+ groups from openssl (as we did previously). I still think that our approach is suboptimal, mainly because I would rather not get involved (by introducing a static key) in such advanced crypto stuff. A proper solution or proposal should imho come from openssl. They can't possibly expect application developers to take of such low-level crypto things. At least a recommendation would be nice (get_rfc2409_prime_1024 is unsafe, don't use it? get_rfc2409_prime_2048 can be considered safe?). Anyway, it doesn't look like there the is a simple answer to the question about whats the right thing to do ... Regards, Lukas [1] http://hg.nginx.org/nginx/file/e034af368274/src/event/ngx_event_openssl.c#l905 [2] https://github.com/apache/httpd/blob/trunk/modules/ssl/ssl_engine_init.c#L70