Hello Willy, Nice speak at FRnOG 22 :)
>> This patch adds standardized (rfc 2409 / rfc 3526) DH parameters with >> prime lengths of 1024, 2048, 3072, 4096, 6144 and 8192 bits, based on >> the private key size. As of now, static DH parameters of 1024 bits are >> used when no custom DH parameters are provided in the cert file, >> effectively reducing the strength of the key exchange to 1024 bits even >> when the private key is stronger than that. > > (...) > > Great, thank you. I'm just having a question, since I'm seeing a number > of openssl functions involved, have you tried them with multiple versions > to ensure that we don't need to add some extra #ifdefs in order not to > break build on older libs ? Please at least check on openssl-0.9.8 (I > think it's in RHEL5). Yes, all functions exists in at least 0.9.8a. The most recently added ones are get_rfcXXXX_prime_YYYY(), which have been present since 0.9.8a (released 11 Oct 2005). If you think it may be an issue, I will gladly add the missing #ifdefs, but as even Debian 5 and RHEL 5 have an OpenSSL >= 0.9.8a, I am not sure it is needed. -- Rémi Gacogne Aqua Ray SAS au capital de 105.720 Euros RCS Créteil 447 997 099 www.aquaray.fr 14, rue Jules Vanzuppe 94854 IVRY-SUR-SEINE CEDEX (France) Tel : (+33) (0)1 84 04 04 05 Fax : (+33) (0)1 77 65 60 42
signature.asc
Description: OpenPGP digital signature