[gnutls-help] too few bits from gnutls_dh_params_generate2() ?

[Pierre Ossman]

On Tue, 11 Nov 2014 12:42:10 +0100,
Nikos Mavrogiannopoulos wrote:

> On Tue, Nov 11, 2014 at 7:58 AM, Pierre Ossman <ossman at cendio.se> wrote:
> > It was generated like this:
> >
> >   if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
> >     throw AuthFailureException("gnutls_dh_params_generate2 failed");
> 
> A question that arises, is why do you generate those parameters
> anyway? Why not ship some static parameters (via certtool
> --get-dh-params).
> 

Unfortunately I have no idea as I did not write that code. It's probably
based on one of your examples that generates them on the fly.

TBH, I've never gotten a good grasp on what a good security policy is
with regard to DH params. Some have pregenerated values, but I also see
references that they should be regenerated every few hours/days/etc.

Got any insight to share?

> >> One option would be to upgrade to 3.3.x.
> >>
> > But that is still not considered a stable series, right?
> 
> It is the current stable.
> 

Oh. I got confused by the front page which states:

> Released GnuTLS 3.3.10, GnuTLS 3.2.20, GnuTLS 3.1.28, which are bug-fix releases on the next, current and previous stable branches respectively. 

I.e. 3.3.10 is being called "next", which suggests to me that it wasn't
stable yet. But I see now that the download page lists 3.3.x as stable.

Rgds
-- 
Pierre Ossman           Software Development
Cendio AB		https://cendio.com
Teknikringen 8		https://twitter.com/ThinLinc
583 30 Linköping	https://facebook.com/ThinLinc
Phone: +46-13-214600	https://plus.google.com/+CendioThinLinc

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: </pipermail/attachments/20141111/037ab844/attachment.sig>