FREAK/Logjam, and SSL protocols to use
distler at golem.ph.utexas.edu
Wed May 27 16:29:18 UTC 2015
>It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently.
That's not really correct.
If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else).
It is computationally intensive to generate such large primes, p (and corresponding base parameter, g). You need to ensure that p is actually prime (the costly step ) and that g is primitive.
Which is why most implementations have used shorter (<= 1024 bit) primes.
Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security.
So the best setting is to set ssl_dh_parameters_length as large as feasible ( recommends 2048 bits), and NOT to regenerate.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the dovecot