On 11/07/2013 09:15 AM, Kurt Roeckx wrote:
I filed a ticket about this ealier (#3120)
You can see the discussion about that here:
http://openssl.6102.n7.nabble.com/openssl-org-3120-Minimum-size-of-DH-td46401.html
ah, thanks. It's too bad that discussion isn't mirrored on
https://rt.openssl.org/Ticket/Display.html?id=3120
Which basicly says that clients can reject it if they want, but I
rather see some sane default.
Given that i've never seen a client actually verify that this value
meets their security expectations, having a sane default baked in would
be a good idea.
Either that, or the OpenSSL project needs to give much stronger explicit
guidance to its users about how to verify the security parameters of its
sessions.
--dkg
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
