Bug ID: 1902
           Summary: generated DH parameters for Openssl
           Product: Exim
           Version: 4.87
          Hardware: All
                OS: All
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: TLS

We autogenerate Diffie-Hellman params in the GnuTLS variant,
calling gnutls_dh_params_generate2().  We don't with OpenSSL because it
takes too long; apparently the checking done is more strict and it can take
multiple minutes of cpu.

We should better support systems not wanting to use the "standards" published
primes (which are subject to precomputation-aided attacks), and also those
wanting to periodically roll-over their primes.  Given the compute cost this
should be done in background for OpenSSL.  We might also investigate
better checking on the GnuTLS version.

You are receiving this mail because:
You are on the CC list for the bug.
## List details at Exim 
details at ##

Reply via email to