[openssl-dev] Weak DH and the Logjam
mancha
mancha1 at zoho.com
Wed May 20 08:01:11 UTC 2015
Given Adrien et al. recent paper [1] together with their proof-of-concept
attacks against 512-bit DH groups [2], it might be a good time to
resurrect a discussion Daniel Kahn Gillmor has brought up in the past.
Namely, whether it makes sense for OpenSSL to reject DH groups smaller
than some minimum (1024 bits or more). Currently, client implementations
built on OpenSSL will happily accept small DH groups from a peer (e.g.
16-bit DH group [3]).
[1] https://weakdh.org/imperfect-forward-secrecy.pdf
[2] https://weakdh.org/logjam.html
[3] openssl s_client -connect demo.cmrg.net:443 < /dev/null
--mancha
PS My understanding is Google Chrome will soon be rejecting all DH
groups smaller than 1024 bits.
More information about the openssl-dev
mailing list