Hi Rémi, On Thu, May 28, 2015 at 05:45:43PM +0200, Remi Gacogne wrote: > > Just a question, does it make sense to have different dh-param files > > per key size so that depending on the cert key size we use a different > > file, or are they totally decorrelated ? > > I used to think that it made sense, but clearly the trend is to > decorrelate the two.
OK. > RSA 1024 is (at last) being phased out, and we have > seen on this mailing-list that a DH greater than 2048-bit is simply too > costly for a lot of users. OK so that means that probably people will prefer to build their own DH-1024 to use with 2048 keys. > I am pretty sure that there is no use anymore > trying to adapt the DH size to the RSA key size. We should probably > remove this logic in 1.6 and just use the size specified by > tune.ssl.default-dh-param, regardless of what the RSA key size is. That's fine by me. > I didn't have enough time to implement the 3 patches I promised yet, I'm not the one who will blame you for that, if you knew the number of things I don't have the time to do! > so > here is the most important one for now, fixing the bug reported by Hervé > Commowick. I think it should be backported to 1.5. OK I merged it, I had to apply it by hand on 1.5 but it was OK. > I added a small patch for 1.6 that add a destructor to clean up at exit > the memory allocated internally by OpenSSL. It makes my life easier when > using valgrind to check for leaks, so I figured it could be of interest > to others as well :) Thank you, I've applied it to both branches since people tend to debug 1.5 as well (especially distro maintainers who might get bug reports on their own distro channels). > I expect to be able to send the ssl-dh-param-file patch tomorrow, as it > is mostly written (but not well tested yet), as well as the patch to > move from 1024-bit DH to 2048-bit by default. Great! Do you think it would make sense to backport the ssl-dh-param-file to 1.5 ? I mean, will some users need this in the short term (or said differently, may we use this as an incentive to be more careful about that ?). Also for 1.5.13 as I understand it, I should regenerate a new dhparam-1024 to get rid of oakley group 2. I'll need some directions on how to do this correctly. Thanks! Willy