<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">On Oct 16, 2015, at 3:35 PM, John-Mark Gurney <<a href="mailto:jmg@funkthat.com" class="">jmg@funkthat.com</a>> wrote:<br class=""><div><blockquote type="cite" class=""><br class="Apple-interchange-newline"><div class=""><div class="">Ray Dillinger wrote this message on Fri, Oct 16, 2015 at 13:39 -0700:<br class=""><blockquote type="cite" class="">Isn't the appropriate fix making sure that different numbers get used<br class="">each time DH is performed? And won't that be the appropriate thing to<br class="">do regardless of the key length being used?<br class=""></blockquote><br class="">Please go run openssl dhparam 1024 (or for more fun, 2048), and tell<br class="">me if doing that on every connection, https session, etc, is doable?<br class=""><br class="">For everyone else, it's about a second, but can take >5 seconds to<br class="">generate a 1024 bit dh parameter... 2048 can take >47 second and this<br class="">is on a 2.5GHz Core i7…<br class=""><br class=""></div></div></blockquote>It could be done on bootup, and the web server could have a dependency on it (sprinkle in other services as appropriate). It would (potentially) delay things slightly, but the benefits would far outweigh the loss of a few seconds.</div><br class=""><div class="">
<div style="orphans: 2; widows: 2;" class="">--</div><div style="orphans: 2; widows: 2;" class="">Louis Kowolowski <a href="mailto:louisk@cryptomonkeys.org" class="">louisk@cryptomonkeys.org</a></div><div style="orphans: 2; widows: 2;" class="">Cryptomonkeys: <a href="http://www.cryptomonkeys.com/" class="">http://www.cryptomonkeys.com/</a></div><div style="orphans: 2; widows: 2;" class=""><br class=""></div><div style="orphans: 2; widows: 2;" class="">Making life more interesting for people since 1977</div>
</div>
<br class=""></body></html>