On 02.05.2014 16:52, Lukas Tribus wrote:
Hi Remi,
The default value for max-dh-param-size is set to 1024, thus keeping
the current behavior by default. Setting a higher value (for example
2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade
to stronger ephemeral DH keys (and back if needed).
Please note that Sander used 4096bit - which is why he saw huge CPE
load.
Imho we can default max-dh-param-size to 2048bit.
Best thing would be if Sander could test in his environment with a
2048bit
dhparam manually (in the cert file).
I'll try to test around a bit this weekend.
Sander
