Closed steerlink closed 1 year ago
Thanks Sheldon, this is a very good catch!
You're right the prime requirement seems a bit off, looking at history this existed all the way back when the PKeyDH class was introduced: https://github.com/jruby/jruby-openssl/commit/659dd94fdda65041186f86893748a0850d5afb51
I do not see a reason to have it in but would like to spent some time reading the RFC. I was already planning to do a JOSSL release soon, this should definitely be included.
There's still one missing compat feature I'd like to look into, so it might take a week or few...
Resolve the following issues:
Improve performance of Diffie-Hellman key exchange by generating a cryptographically strong random number instead of a probable prime. RFC 4419 does not require or suggest
x
(private key) be prime.Background
net-ssh
, built on top ofopenssl
, implements thediffie-hellman-group-exchange-sha256
key exchange and supports prime modulus in the range 1024 - 8192.BigInteger
class is highly variable and really slows down for primes with bit lengths > 2048.jruby-openssl
algorithm generates aBigInteger
probable prime forx
with the same bit length. Usually the server hangs up before the prime is available.Benchmarks
☝️ Box plots (log scale) showing how long it takes to generate a probable prime of various bit lengths using the following constructor:
Hoping to get this in the next release of JRuby.
@kares @headius