On 2015-05-24 23:25, Rainer Jung wrote:
> Am 24.05.2015 um 23:08 schrieb olli hauer:
>> Hi,
>>
>> is there a chance to get the following revisions merged to 2.2.x
>> - r1551685, r1652929 (fix IPv4 mapping on FreeBSD)
>>
>>
>> In ssl_engine_dh.c there are calls to generate dh512 and dh1012,
>> perhaps it is also an idea to drop dh512 and add dh2048 or higher.
>>
>> -system("openssl gendh $rand -out dh512.pem 512");
>> -system("openssl gendh $rand -out dh1024.pem 1024");
>> +system("openssl gendh $rand -out dh1024.pem 1024");
>> +system("openssl gendh $rand -out dh2048.pem 2048");
>
> I wonder whether we should instead remove that whole embedded perl script. An
> improvement was ported back from 2.4 to 2.2 that means you can simply include
> the "openssl dhparam" output in the certificate file. In addition by default
> the next 2.2 will also choose a prime length corresponding to the RSA key
> length in the certificate. So in most cases user should be just fine. If
> admins want to tune, they can by generating params and appending them to the
> cert file.
>
> What do you think: is there still a need for this embedded perl script?
In my opinion the perl part is no longer required with the new code.
As a side note, running perl against ssl_engine_dh.c will change the type from
- static const unsigned char dh$num_p[]
+ static unsigned char dh$num_p[]
--
olli
