FREAK/Logjam, and SSL protocols to use

Jacques Distler distler at
Wed May 27 18:58:21 UTC 2015

>But when you write NOT to regenerate, are you saying that using larger primes makes regenerating unnecessary, or are you telling us that it's somehow harmful?

For a given computational effort, you get the most bang-for-the-buck by choosing large parameters (and checking very carefully that they are "safe") rather than smaller parameters (and/or checking them less carefully) which you then regenerate.

Every time you regenerate, there's a small (but finite) probability that the new parameters are actually unsafe. You'd do better using those CPU cycles to improve the proof that your original set of parameters was safe (admittedly, no one actually does this), rather than generating a new set. Remember, the DH parameters (p,g) are NOT secret; they are transmitted in the clear everytime.

As long as you're using Ephemeral Diffie-Hellman (choosing new exponents, a and b, for each session) with large safe DH parameters, it's hard to think of a threat model where you improve the security AT ALL by regenerating the DH parameters.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the dovecot mailing list