How often should a server generate new DH parameters?
Is this a dumb question? Sorry if it is.
1. 36 hours isn't much time to wait for a response.
I forgot it was the weekend; I've been reading the list for several weeks now and the questions that get answered are answered quickly.
2. You broke threading, rather than starting a new thread.
I didn't realize I did that, sorry. I receive this list via email.
3. It depends on a lot of factors, none of which you bothered to tell us. Start by explaining your exact security goals, your acceptable risk profile, your encryption architecture, your integrity architecture, and your budget.
I don't know what the ramifications of reusing the DH parameters are. Does it make it easier for a MITM to determine session keys over time if the parameters are not changed?
I am handing the DH parameters to OpenSSL using SSL_CTX_set_tmp_dh and it does whatever it does with them. They are used only for establishing SSL/TLS connections.
I'm not sure why my budget is a factor; I can write a routine to update them and have a thread call this routine repeatedly, sleeping in between calls.
I'm assuming that there is a need to change these parameters every so often, maybe I'm wrong.
Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
