Thank you for the information and links. > [stuff deleted]
> >> I'm probably missing something in the OpenSSL implementation. The > documentation for SSL_CTX_set_tmp_dh_callback() says that the > "tmp_dh_callback is called with the keylength needed..." But surely > this can't be only 512 or 1024...? Is it up to the application to decide to > use a larger key size based on the information from the SSL structure passed > in? > > No, OpenSSL is doing things per the standards. The standards are the > problem here. > I don't understand this comment. Are you suggesting that my application ONLY use what OpenSSL supplies as the value of the "keylength" parameter? And NOT use larger-than-1024-bit DH key sizes? Don't the standards and/or research suggest that larger key sizes SHOULD be used when appropriate? I guess what I'm asking is: what is the proper method for using larger ephemeral DH key sizes in OpenSSL? What I'm envisioning is something like the following: if the cipher suite and authentication key size info contained in the SSL structure require something stronger than 1024-bit ephemeral DH keys, use something bigger. And perhaps have an application override that can force the tmp_dh_callback to use 1024-bit for backwards compatibility. Does this make any sense? Or is the right answer not to use ephemeral DH cipher suites? The trade off being the lack of PFS for a more consistent security level. > > [stuff deleted] > > Jeff > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org