[openssl-dev] Weak DH and the Logjam
mancha
mancha1 at zoho.com
Wed May 20 07:22:57 UTC 2015
Given Adrien et al. recent paper [1] together with their
proof-of-concept attacks against 512-bit DH groups [2], it might be a
good time to resurrect a discussion Daniel Kahn Gillmor has brought up
in the past.
Namely, whether it makes sense for OpenSSL to reject DH groups smaller
than some minimum. Say, 1024 bits or more. Currently, a client
implementation built on OpenSSL will happily accept small DH groups from
a peer (e.g. 16-bit DH group [3]).
[1] https://weakdh.org/imperfect-forward-secrecy.pdf
[2] https://weakdh.org/logjam.html
[3] openssl s_client -connect demo.cmrg.net:443 < /dev/null
--mancha
PS My understanding is Google Chrome will soon be rejecting all DH
groups smaller than 1024 bits.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150520/60b7c1e8/attachment.sig>
More information about the openssl-dev
mailing list