Given Adrien et al. recent paper [1] together with their proof-of-concept attacks against 512-bit DH groups [2], it might be a good time to resurrect a discussion Daniel Kahn Gillmor has brought up in the past.
Namely, whether it makes sense for OpenSSL to reject DH groups smaller than some minimum. Say, 1024 bits or more. Currently, a client implementation built on OpenSSL will happily accept small DH groups from a peer (e.g. 16-bit DH group [3]). [1] https://weakdh.org/imperfect-forward-secrecy.pdf [2] https://weakdh.org/logjam.html [3] openssl s_client -connect demo.cmrg.net:443 < /dev/null --mancha PS My understanding is Google Chrome will soon be rejecting all DH groups smaller than 1024 bits.
pgp_TrBuHeXcL.pgp
Description: PGP signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
