On Tue, 2014-11-11 at 13:35 +0100, Pierre Ossman wrote: > On Tue, 11 Nov 2014 13:32:01 +0100, > Manuel Pégourié-Gonnard wrote: > > > On 11/11/2014 12:50, Pierre Ossman wrote: > > > TBH, I've never gotten a good grasp on what a good security policy is with > > > regard to DH params. Some have pregenerated values, but I also see > > > references that they should be regenerated every few hours/days/etc. > > > > > > Got any insight to share? > > > > > The DH params (ie: prime and generator) can totally be static. There are > > even > > RFCs defining standardising values for them (3526, 5114, maybe more). > > > > The thing that should be regenerated regularly (ideally every key exchange, > > for truly ephemeral DH) is your private-public DH key pair. > Is that done by GnuTLS implicitly? I don't see anything in our use of > GnuTLS that generates such things even once.
Yes, there is a new private key pair on every session in gnutls. There is no option to change that. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
