Hubert Kario <hka...@redhat.com> writes: >It's also easy and quick to verify that the server *is* behaving correctly >and thus is not exploitable.
It's also a somewhat silly issue to raise, if we're worried about a server using deliberately broken FFDHE parameters then why aren't we worried about the server leaking its private key through the server random, or posting it to Pastebin, or sending a copy of the session plaintext to virusbucket.ru? If the server's broken it's broken and there's not much a client can do about it. (As an aside, -LTS fixes this by requiring FIPS-186-style FFDHE values rather than PKCS #3-style ones, although a determined server can still bypass even this level of verification, just as they can spike ECDHE in a dozen ways if they want). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls