[gnutls-help] too few bits from gnutls_dh_params_generate2() ?
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Nov 10 23:59:18 CET 2014
On Mon, 2014-11-10 at 11:48 -1000, Daniel Kahn Gillmor wrote:
> Hi Pierre--
> > After some debugging it turns out that the failing criteria is that
> > multiple of 64 bits requirement[1]. For some reason I've gotten a 1023
> > bit prime, even though I called gnutls_dh_params_generate2() with 1024
> > as the argument.
> ugh. Java is at fault here -- there's no sense in this particular
> severe limitation. if they're willing to use 512-bit DHE parameters and
> 1024-bit DHE parameters, they should be willing to use 1023-bit DHE
> parameters.
That's indeed quite some arbitrary limitation.
> That said, i suppose it's possible that gnutls could always ensure that
> the high bit is set when generating a prime of a given size.
That should be the case in gnutls 3.3.x. That version delegates to
nettle the DH parameter generation and nettle seems to be more precise.
> > This is with GnuTLS 3.2.15 and nettle 2.7.1 on Windows.
> > Who's to blame here? GnuTLS? Java? Us? Everybody? :)
> > And what do I do about it? Keep calling gnutls_dh_params_generate2()
> > until I get what I need?
One option would be to upgrade to 3.3.x.
regards,
Nikos
More information about the Gnutls-help
mailing list