Jean-Marc Desperrier wrote:
> Congratulation ! You have found something that strongly looks like a > regression [...]
> [...]
Rather than being a regression (which implies being unplanned), the introduction of the failures due to those limits was deliberate.
I use the word 'regression' in a less restrictive meaning, just "something desirable that used to work doesn't work anymore".
And in this meaning it can sometimes be a relative notion, what is seen a regression for one person can also be seen as a bug fix for another person.
According to Lenstra's table a prime size of 2236 bits matches the current discrete log size limit of 160 bits, so I would consider raising DH_MAX_P_BITS to perhaps as much as 2236, but not more.
Maybe what you need is an asymmetric limit ?
A server might refuse to use key larger than 1024 for performance reason, but the client will wish to be able to connect to as many servers as reasonnably possible ...
In fact I understand here it's the SSL server that chooses the prime, so it will never be forced a too large prime by the client, therefore a very restrictive limit is not needed.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
