Am Samstag, 24. Dezember 2016 02:15:35 UTC+1 schrieb Yuhong Bao: > AFAIK one of the reasons DHE was dropped was that 1024-bit DHE was common. > Java used to hardcode 768-bit DHE.
This is a good point. Nevertheless, when using DHE, I always have been doing so with DH params I have generated myself with sufficient key length. It didn't take much time to find out how to do that and how to make Apache use these params. No modifications of my favorite Linux distribution's Apache or OpenSSL were needed to do that. In contrast, I am trying to make Apache and OpenSSL run with ECDHE and curve 25519 for nearly two days now without success. I have to modify a central, security critical component of the system in question (OpenSSL) by downloading the sources, compiling myself and replacing my system's OpenSSL (or possibly I have to run both versions in parallel due to some weird dependencies). Consequently, in the next future, I can't rely on the security updates for my distribution, but will have to monitor OpenSSL advisories myself, and if there is a problem, I will have to fix it myself - redownload, reconfigure, recompile, reinstall, possibly fight with the dependencies again, and so on. No, I really didn't want to become the maintainer of my own OpenSSL package ... I had some private communication with a very helpful and experienced person in the meantime, and he detailed to me that no Linux Distribution (possibly with one exception) uses an OpenSSL version which supports X25519. Furthermore, the OpenSSL versions which claim to support 25519 seem to be buggy / broken (openssl ecparam -list_curves does not show 25519 although it is claimed to be there; tested with OpenSSL 1.1.0c yesterday). So, comparing the hassle with ECs to the hassle I had with generating safe DH params, the latter one has been ridiculously easy. Therefore, I regret the communities policy of giving up DHE. But I have understood that I have to accept that policy, and I won't complain any more. The only thing I now can do is trying to make 25519 work. Thank you very much, Binarus _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

