On Sat, Sep 21, 2013 at 05:07:02PM -0700, Patrick Pelletier wrote: > and there was a similar discussion on the OpenSSL list recently, > with GnuTLS getting "blamed" for using the ECRYPT recommendations > rather than 1024: > > http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html
GnuTLS is reasonably sound engineering in electing 2048-bit groups by default on the TLS server. This inter-operates with the majority of clients, all the client has to do is to NOT artificially limit its implementation to 1024 bit EDH. GnuTLS fails basic engineering principles when it sets a lower bound of 2048-bit EDH in its TLS client code. TLS clients do not negotiate the DH parameters, only the use of EDH, and most server implementations deployed today will offer 1024-bit EDH groups even when the symmetric cipher key length is substantially stronger. Having GnuTLS clients fail to connect to most servers, (and e.g. with opportunistic TLS SMTP failing over to plain-text as a result) is not helping anyone! To migrate the world to stronger EDH, the GnuTLS authors should work with the other toolkit implementors in parallel with and through the IETF to get all servers to move to stronger groups. Once that's done, and the updated implementations are widely deployed raise the client minimum EDH group sizes. Unilaterally raising the client lower-bound is just, to put it bluntly, pissing into the wind. -- Viktor. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography