bowlofeggs
commented
8 years ago If possible, it would be ideal to allow users to provide their own DH params as well. Thanks!
Open jeremycline opened 8 years ago
bowlofeggs
commented
8 years ago If possible, it would be ideal to allow users to provide their own DH params as well. Thanks!
weiss
commented
8 years ago If possible, it would be ideal to allow users to provide their own DH params as well.
That's possible as of ejabberd 15.06, see the dhfile and s2s_dhfile options in the admin guide.
jeremycline
commented
8 years ago @rbarlow also see https://github.com/processone/tls/blob/master/c_src/p1_tls_drv.c#L389 - the parameters are only used in the event that you don't provide your own DH parameters.
bowlofeggs
commented
8 years ago @weiss hey thanks for the tip! I'm currently running 14.07 but I am working on getting updated to 16.01 so I'll bookmark this. +1
There are some default Diffie-Hellman parameters as part of p1_tls_drv.c. These parameters appear to be used in the event that parameters are not provided, but they are only 1024 bits which is considered vulnerable to nation-state level attackers[0]. It would be great if these were bumped up to the 2048-bit MODP Group with 256-bit Prime Order Subgroup parameters (also part of RFC 5114[1], section 2.3).
[0] https://weakdh.org/ [1] https://www.ietf.org/rfc/rfc5114.txt