In: http://archives.neohapsis.com/archives/postfix/2013-09/0003.html
Peer Heinlein reports that some Exim SMTP clients fail to establish a TLS session with Postfix SMTP servers because Exim enforces a minimum prime size of 2048-bits for MODP EDH. My reply in: http://archives.neohapsis.com/archives/postfix/2013-09/0015.html boils down the behaviour of SSL_CTX_set_tmp_dh_callback(3) which invokes the application callback with one of two keylengths: #define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024) in response to which Postfix returns parameters with a 512-bit or a 1024-bit prime. - Is it reasonable for clients to expect stronger EDH groups? - Is there is any API support in OpenSSL for servers to provide a suitable range of parameters, perhaps tied to the negotiated symmetric algorithm key size? (With anonymous cipher-suites there is no public key on which to base the EDH parameter choice). Given the high computational cost of prime EDH, my guess is that it does not make much sense to go beyond 1024-bits, and that EECDH is by far the better choice for greater security. Incidentally, I just noticed the undocumented SSL_CTX_set_tmp_ecdh_callback(), which has the same interface as SSL_CTX_set_tmp_dh_callback(3) and it seems is also called with keylength equal to either 512 or 1024. What is the meaning of the keylength in this context? I have been using the equally undocumented SSL_CTX_set_tmp_ecdh(), which just sets a fixed curve for all EECDH cipher-suites. Is there any disadvantage to this approach? It would be nice to have more documentation for the EC side of the interface. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org