[exim-dev] [Bug 1895] Default groups for DH possibly backdoo…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: admin
Date:  
À: exim-dev
Anciens-sujets: [exim-dev] [Bug 1895] New: Default groups for DH possibly backdoored
Sujet: [exim-dev] [Bug 1895] Default groups for DH possibly backdoored
https://bugs.exim.org/show_bug.cgi?id=1895

--- Comment #10 from Jeremy Harris <jgh146exb@???> ---
I take it that the bit of code in OpenSSL dhparam.c around the use of
d2i_DHxparams_bio() is relevant?
As usual I am finding the OpenSSL docs unhelpful wrt. guidance on actually
using the library.

I think we need to retain support for PEM files; which means (if I understand
correctly about the need for q for sufficient security to enable support for
session resumption) that we'll want docs guidance. Can someone who understands
crypto say how the need arises, succinctly? We'll also want to describe how
to generate the parameter files.

We'll also need to look at the GnuTLS support. Currently we use
gnutls_dh_params_import_pkcs3() with a PEM flag; it does take DER as an
alternate
- but I don't know if "pkcs3" implies no q. The function is also "considered
obsolete", in favour of using RFC7919 parameters (which are now GnuTLS builtins
as well as being Exim builtins) - but note that Exim docs encourage sites to
generate their own.

--
You are receiving this mail because:
You are on the CC list for the bug.