> I created it per your instructions. See above about it not existing
> previously.
Oh, sorry for the confusion. Seems an emergency patch is in order to change
the default.
Would you be willing to test this patch (apply, build, install, remove
dh.params file, and restart)?
The patch changes the client and server default to 2048 (previous 512 and 1024)
to help mitigate LogJam/WeakDH.
Index: src/tls.c
===================================================================
--- src/tls.c (revision 284402)
+++ src/tls.c (working copy)
@@ -676,8 +676,8 @@
}
if (dhparam == NULL)
{
- dhparam = srv ? "1" : "5";
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+ dhparam = "2";
+ req |= TLS_I_DH2048;
}
else if (*dhparam == '/')
{
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[email protected]"
