[openssl-users] stunnel 5.46 released

Viktor Dukhovni openssl-users at dukhovni.org
Wed May 30 17:12:06 UTC 2018



> On May 30, 2018, at 12:54 PM, Michał Trojnara <Michal.Trojnara at stunnel.org> wrote:
> 
>> I am rather puzzled as to why you chose to eliminate
>> not just fixed DH, but also the ephemeral finite-field
>> DH key exchange.  What's wrong with the DHE ciphers?
> 
> Mostly precomputation attacks: https://weakdh.org/logjam.html

Which is an issue with *weak* DH parameters, which are no longer
accepted by OpenSSL.  Ephemeral DH is in the majority of server
implementations actually ephemeral.  The group is fixed, but
the server private key is per session, or with old unpatched
code randomly chosen by each server.  It is not clear to me
that EECDH is fundamentally stronger.  Indeed it might prove
weak sooner to QC attacks if/when those become practical.

So I would disable only kDH, but not DHE.  Keep in mind that
some remote systems will not support EECDH, and by disabling
DHE, you get only kRSA, which is worse.  So I think that
'!DH' is unwise.

-- 
	Viktor.



More information about the openssl-users mailing list