[openssl-users] Vulnerability >> logjam << downgrades TLS connections to 512 Bit

Jeffrey Walton noloader at gmail.com
Fri May 22 06:30:23 UTC 2015

On Fri, May 22, 2015 at 1:55 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
> On 22/05/2015 07:18, Jeffrey Walton wrote:
>> On Fri, May 22, 2015 at 12:51 AM, Jakob Bohm <jb-openssl at wisemo.com>
>> wrote:
>>> On 22/05/2015 03:57, Jeffrey Walton wrote:
>>>>> As an additional change for 1.0.2c or later (no need to
>>>>> delay the urgent fix), maybe adjust internal operations
>>>>> to discourage use of hardcoded DH groups for TLS DH (but
>>>>> NOT for generic DH-like operations such as openssl-based
>>>>> implementations of SRP).
>>>> That's going to be tough because standards groups like the TLS WG are
>>>> actively promoting fully specified, named parameters and curves.
>>>> See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral
>>>> Parameters for TLS",
>>>> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and
>>>> the discussion of magic primes at "Re: [TLS] Another IRINA bug in
>>>> TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html.
>>>> (The thread is due to the recent attacks on DH).
>>> The latter thread contains posts from respected experts
>>> asking not to use fixed parameters for DH...
>> Well, I'm not sure how much more respected one can get than Daniel
>> Kahn Gillmore, Stephen Farrell, Eric Recorla; or have better
>> credentials than practicing cryptographers.
>> How high is your bar :)
> Whom did I say were not highly respected cryptographers?
> ...
> I saw no posts in that thread arguing why fixed DH groups
> would be a good thing.

That's Gillmor's
https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09. Its a
set of fixed DH groups called out by name for use in TLS.

Or are you talking about server certificates with fixed DH parameters?


More information about the openssl-users mailing list