Open jeremycline opened 8 years ago
If possible, it would be ideal to allow users to provide their own DH params as well. Thanks!
If possible, it would be ideal to allow users to provide their own DH params as well.
That's possible as of ejabberd 15.06, see the dhfile
and s2s_dhfile
options in the admin guide.
@rbarlow also see https://github.com/processone/tls/blob/master/c_src/p1_tls_drv.c#L389 - the parameters are only used in the event that you don't provide your own DH parameters.
@weiss hey thanks for the tip! I'm currently running 14.07 but I am working on getting updated to 16.01 so I'll bookmark this. +1
There are some default Diffie-Hellman parameters as part of p1_tls_drv.c. These parameters appear to be used in the event that parameters are not provided, but they are only 1024 bits which is considered vulnerable to nation-state level attackers[0]. It would be great if these were bumped up to the 2048-bit MODP Group with 256-bit Prime Order Subgroup parameters (also part of RFC 5114[1], section 2.3).
[0] https://weakdh.org/ [1] https://www.ietf.org/rfc/rfc5114.txt