[gnutls-help] too few bits from gnutls_dh_params_generate2() ?
ossman at cendio.se
Tue Nov 11 12:50:14 CET 2014
On Tue, 11 Nov 2014 12:42:10 +0100,
Nikos Mavrogiannopoulos wrote:
> On Tue, Nov 11, 2014 at 7:58 AM, Pierre Ossman <ossman at cendio.se> wrote:
> > It was generated like this:
> > if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
> > throw AuthFailureException("gnutls_dh_params_generate2 failed");
> A question that arises, is why do you generate those parameters
> anyway? Why not ship some static parameters (via certtool
Unfortunately I have no idea as I did not write that code. It's probably
based on one of your examples that generates them on the fly.
TBH, I've never gotten a good grasp on what a good security policy is
with regard to DH params. Some have pregenerated values, but I also see
references that they should be regenerated every few hours/days/etc.
Got any insight to share?
> >> One option would be to upgrade to 3.3.x.
> > But that is still not considered a stable series, right?
> It is the current stable.
Oh. I got confused by the front page which states:
> Released GnuTLS 3.3.10, GnuTLS 3.2.20, GnuTLS 3.1.28, which are bug-fix releases on the next, current and previous stable branches respectively.
I.e. 3.3.10 is being called "next", which suggests to me that it wasn't
stable yet. But I see now that the download page lists 3.3.x as stable.
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: not available
More information about the Gnutls-help