On Thu, Jun 04, 2015 at 05:54:51PM +0200, Willy Tarreau wrote: > I simply used "openssl dhparam <size>" as suggested, and am trusting > openssl to provide something reasonably safe since this is how every user > builds their own dhparam when they don't want to use the initial one. > > I have no idea how openssl does it internally, I'm not a cryptanalyst, > just a user and I have to trust openssl not to fail on me.
openssl dhparam <size> can be assumed to do its job reasonably well. The only problem is that with the default primes you are in effect a third party generating the prime, and you cannot provide a certificate that the prime you've put as default was indeed produced by this mechanism. > > A paranoid user would believe that it has been generated by > > (say) NSA, which convinced you to claim that it's random material > > Yes but such paranoid users also accuse everyone of much funnier things > so I don't care much about what they believe. Fair enough. I just point you at the relevant information, you're free to do whichever way seems most appropriate to you. I agree that the paranoid user would want to generate his own parameters anyway. Best, E. P.S: openssl dhparams takes a while because prime testing is slow. At least, algorithmically speaking, this is the difficult point.