* Bastian Blank: > On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote: >> I think gnutls by default has a minimum size of 727 for the DH >> size while openssl doesn't have any check for this. But if you're >> using DH you really want to move to something like 2048 if >> possible. > > This prime size is pretty irrelevant for opportunistic TLS.
Small primes enable passive attacks. TLS with plain RSA and a large enough modulus (even 1024 bits isn't that problematic at this point) is thought to be safe against passive attacks, *even without* certificate validation. Curiously, the optional ephemeral Diffie-Hellman part of the TLS protocol runs in plaintext, which means that it can be attacked directly, without bothering to attack the RSA part. As a result, that dreaded thing called "perfect forward secrecy" is not necessarily an overall improvement. It's probably best to disable it altogether, then the DH interoperability issue disappears as well. (I'm pretty sure the current trend to enable it all over the place is mostly due to its suggestive name.) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87hadnogsp....@mid.deneb.enyo.de
