> On May 29, 2016, at 1:38 AM, Phil Pennock <[email protected]> wrote: > > In a world where ECC is not yet widespread in MTA, PFS requires DH. The > documentation, and many packages (I believe) encourage people to > generate primes.
Indeed, but a better fallback than the groups from this misguided RFC would be a compiled-in 2048-bit safe prime group. I am not advocating no DH, rather I am strongly advocating no DH groups from RFC 5114. This is primarily while wearing my OpenSSL team member hat, not that snooty Postfix guy barging in on the Exim list. :-) > These are a fallback. My belief was that PFS with 2048-bit DH from an > RFC is better than no PFS. Today ... I think that I believe the same. This particular RFC is a bad idea. Replace its groups with a safe group generated by the Exim developers, or generated at compile time, if you're willing to tolerate slow builds on older systems. (Generating 2048-bit Sophie-Germain safe primes can take minutes). FWIW, in Postfix I take the first (generated by developers) approach, see lines 118 through 150 of: https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
