Closed navjotjsingh closed 8 months ago
JonasAlfredsson
commented
10 months ago Hi navjotjsingh,
Interesting find, I will look into it but if what you say is true then I don't see any issues merging this. However, what spurred this change? Are there usecases where a lot of diffie hellman parameters are generated?
navjotjsingh
commented
9 months ago I don't know of any such use cases. I suggested it just because it can greatly speed up the process.
JonasAlfredsson
commented
9 months ago I am not convinced this is the recommended setting when creating a DH parameter which will be quite static throughout the server's lifetime:
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise. and the discussion here: https://github.com/ansible/ansible/issues/61967
If the delay of creating these are too great to handle you can always pre-compute them on another device and copy it to the location you want.
JonasAlfredsson
commented
8 months ago I have been thinking about this for a while and I think we should keep the default OpenSSL behavior.
If fast dhparam creation is necessary one can follow the Mozilla recommendation and just download some parameters:
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparamseems you can fetch even more from here.
We can add the
-dsaparamflag to the command to speed up the generation of the Diffie-Hellman parameter. It can speed up the process significantly without compromising security.https://security.stackexchange.com/a/95184