[openssl-users] stunnel 5.46 released
Viktor Dukhovni
openssl-users at dukhovni.org
Thu May 31 18:00:08 UTC 2018
> On May 31, 2018, at 12:37 PM, Tomas Mraz <tmraz at redhat.com> wrote:
>
> I would not say that weak DH parameters are fully rejected by OpenSSL.
> The 1024 bit DH parameters could be in theory attacked by state
> agencies by precomputation of the discrete logarithm table.
That's speculative. If the idea is to prefer kECDHE over kDHE,
OpenSSL already does that. In practice ECDHE is negotiated
when available. The issue at hand is whether kDHE is worse
than kRSA. Which is more likely later key compromise or
a brute force attack on 1024-bit DHE likely costing 10's to
100's of millions of dollars per key...
> And openssl
> still accepts 1024 bit DH by default if I am not mistaken.
Yes, but unless you're another nation-state with secrets
worth attacking at all costs, it seems rather unlikely
that this is a concern.
--
Viktor.
More information about the openssl-users
mailing list