[openssl-users] stunnel 5.46 released
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu May 31 18:43:00 UTC 2018
FWIW, I'm with Viktor in this argument. From cryptography point of view he's right. I suspect he's right from the practical point of view as well.
P.S. Those concerned that a nation-state would attack them, are advised to change the default config anyway.
--
Regards,
Uri Blumenthal
On 5/31/18, 14:01, "openssl-users on behalf of Viktor Dukhovni" <openssl-users-bounces at openssl.org on behalf of openssl-users at dukhovni.org> wrote:
> On May 31, 2018, at 12:37 PM, Tomas Mraz <tmraz at redhat.com> wrote:
>
> I would not say that weak DH parameters are fully rejected by OpenSSL.
> The 1024 bit DH parameters could be in theory attacked by state
> agencies by precomputation of the discrete logarithm table.
That's speculative. If the idea is to prefer kECDHE over kDHE,
OpenSSL already does that. In practice ECDHE is negotiated
when available. The issue at hand is whether kDHE is worse
than kRSA. Which is more likely later key compromise or
a brute force attack on 1024-bit DHE likely costing 10's to
100's of millions of dollars per key...
> And openssl
> still accepts 1024 bit DH by default if I am not mistaken.
Yes, but unless you're another nation-state with secrets
worth attacking at all costs, it seems rather unlikely
that this is a concern.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180531/27c474af/attachment.bin>
More information about the openssl-users
mailing list