build in EDH parameters

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

build in EDH parameters

A. Schulze
Hello Developers,

postfix comes - like many other software - with build in DH Parameter (file: src/tls/tls_dh.c)
The documentation also suggest one may want to generate own DH parameters. (http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start)

Is that still the best solution? RFC 7919 (https://tools.ietf.org/html/rfc7919) offer a "Supported Groups Registry"

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: build in EDH parameters

Viktor Dukhovni
> On Nov 10, 2019, at 12:12 PM, A. Schulze <[hidden email]> wrote:
>
> Postfix comes - like many other software - with build in DH Parameter (file: src/tls/tls_dh.c)
> The documentation also suggest one may want to generate own DH parameters. (http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start)
>
> Is that still the best solution? RFC 7919 (https://tools.ietf.org/html/rfc7919) offer a "Supported Groups Registry"

For now I think this is still the best option.  Support for
negotiation of RFC7919 groups requires OpenSSL 3.0 (not yet
released).  These groups are unavailable in OpenSSL 1.0.2.
In OpenSSL 1.1.1 it is possible to select one statically,
but this is not useful, these groups are only useful when
negotiated.

--
        Viktor.