[openssl-users] stunnel 5.46 released
Tomas Mraz
tmraz at redhat.com
Thu May 31 16:37:18 UTC 2018
On Wed, 2018-05-30 at 13:12 -0400, Viktor Dukhovni wrote:
> > On May 30, 2018, at 12:54 PM, Michał Trojnara <Michal.Trojnara at stun
> > nel.org> wrote:
> >
> > > I am rather puzzled as to why you chose to eliminate
> > > not just fixed DH, but also the ephemeral finite-field
> > > DH key exchange. What's wrong with the DHE ciphers?
> >
> > Mostly precomputation attacks: https://weakdh.org/logjam.html
>
> Which is an issue with *weak* DH parameters, which are no longer
> accepted by OpenSSL. Ephemeral DH is in the majority of server
> implementations actually ephemeral. The group is fixed, but
> the server private key is per session, or with old unpatched
> code randomly chosen by each server. It is not clear to me
> that EECDH is fundamentally stronger. Indeed it might prove
> weak sooner to QC attacks if/when those become practical.
I would not say that weak DH parameters are fully rejected by OpenSSL.
The 1024 bit DH parameters could be in theory attacked by state
agencies by precomputation of the discrete logarithm table. And openssl
still accepts 1024 bit DH by default if I am not mistaken.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
More information about the openssl-users
mailing list