Hi!
while working on Postfix/TLS (and following the discussion about DH
things and the history of SSL), I think about including DSA certificate
support into the package.
Since the documentation about this issue is pretty (ahem) thin, I have
some questions left:
- When using DH, I do need DH parameters. These parameters are used for
random number purposes. Right?
- In s_server.c, these parameters are hard coded. If the first assumption
is right, then using the same parameters in my application would be
quite stupid. Right?
- While strolling through mod_ssl I have seen 512bit and 1024bit DH params.
I cannot use both at the same time, so is it good enough to have one
of it and read it in at startup time?
- How critical is the lifetime of the parameters? Is it good enough, to
generate them once during setup (by user action) or would it be better to
generate new ones letīs say once by night from a cron job.
Sorry if these questions seem dumb, but I walked through the code of
mod_ssl and did not completely understand what has to be done to do
a correct setup. s_server is not a good sample here, even though
widely applied (see e.g. sslwrap, where the author is even using the
original DH data included in s_server).
Many thanks in advance,
Lutz
PS. I managed to get things running with s_server and gendh 1024bit
and the snakeoil-dsa things included in mod_ssl, so from the experimenting
point of view it is okay, but for a security relevant issue you better
now for sure :-)
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
