On Fri, Aug 14, 2015 at 06:23:11AM -0600, Todd C. Miller wrote: > > Related to this: smtpd(8) has compiled-in 1024-bit DH parameters. > > This probably wants at least bumping to 2048 though I wonder if it > > might be better to remove the compiled-in value completely and > > require it to be read from a file instead. > >
The DH parameters have been bumped to 2048 in latest OpenSMTPD release which will be committed to OpenBSD soon. I need to fix a couple issues that were reported in the last few days first. I don't think removing the compiled-in value is a good idea. People can already load their own DH parameters from a file and having safely generated compiled parameters as default fallback doesn't hurt. > > Would it make sense to have a common "system" dh params file, in a > > similar vein to ssh's /etc/moduli? (Actually, could we just *use* > > /etc/moduli?) > That would be a nice idea yes -- Gilles Chehade https://www.poolp.org @poolpOrg
