On 05/27/2015 12:29 PM, Jacques Distler wrote:

...

It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently. That's not really correct.

If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else).

It is computationally intensive to generate such large primes, p (and corresponding base parameter, g). You need to ensure that p is actually prime (the costly step [1]) and that g is primitive.

Which is why most implementations have used shorter (<= 1024 bit) primes.

Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security.

So the best setting is to set ssl_dh_parameters_length as large as feasible ([2] recommends 2048 bits), and NOT to regenerate.

Well that's certainly what I meant to say. By referring to weakdh.org (and placing my message in the context of this entire thread) I was at the very least subtly alluding to the recommendation loudly stated there to use at least 2048 bits, which has been the recommendation for a very long time, anyway. The implementation in the various TLS libraries was never a very good reference point, to put it mildly. Some bad choices have been made presumably for "pragmatic" (= lazy) reasons and the harm is that these things are not transparent to most people.

But when you write NOT to regenerate, are you saying that using larger primes makes regenerating unnecessary, or are you telling us that it's somehow harmful?