On 09/14/2004 11:21 AM, Jean-Marc Desperrier wrote: ...
# On the same host where you run Thunderbird, do the following: openssl dhparam -out dhparam-2048 2048
# this will take 5 mins on Pentium 3Ghz
It's a looooong time, I believe very few people are doing this as it's not the default option of openssl (and other toolkit will not escape the fact such a key is very long to generate), so I think most any EDH connexion have the default of using a 'weak' 1024 DH key.
This explains nobody saw the problem before you.
Actually, this step is to generate a strong prime for DH exchange, which is a long-term parameter. The actual DH exchange will be completed in the order of few ms on modern CPU.
You may be right about the high percentage of SSL servers using 1024 EDH, but I think it is time to support stronger EDH.
I filed the bug, please check it for more information:
http://bugzilla.mozilla.org/show_bug.cgi?id=259229
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
