FREAK/Logjam, and SSL protocols to use

Jacques Distler distler at
Wed May 27 16:29:18 UTC 2015

>It is not at this point emphasized anywhere, including on, that it is actually of high importance to regenerate your DH parameters frequently.

That's not really correct.

If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else).

It is computationally intensive to generate such large primes, p (and corresponding base parameter, g). You need to ensure that p is actually prime (the costly step [1]) and that g is primitive.

Which is why most implementations have used shorter (<= 1024 bit) primes.

Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security.

So the best setting is to set ssl_dh_parameters_length as large as feasible ([2] recommends 2048 bits), and NOT to regenerate.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the dovecot mailing list