Closed lewisgoddard closed 6 years ago
Are DSA-like parameters for DH equally secure? If so, that's one easy flag so significantly speed things up.
If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.
None of these options seem perfectly secure or guaranteed to work, so I'm going to leave it as is for now.
Option 1: Use the
dsaparam
flag on generation.Source
Option 2. Use a service
curl https://2ton.com.au/dhparam/4096
Option 3. Install a randomness generator like
rng-tools
See https://www.cyberciti.biz/open-source/debian-ubuntu-centos-linux-setup-additional-entropy-for-server-using-aveged-rng-tools-utils/