[Fedora-packaging] running openssl dhparam in %post
Florian Weimer
fweimer at redhat.com
Fri Sep 18 14:17:25 UTC 2015
On 09/18/2015 03:14 PM, Daniel Pocock wrote:
>
>
> On 18/09/15 14:14, Florian Weimer wrote:
>> On 09/17/2015 09:07 PM, Daniel Pocock wrote:
>>
>>> For reSIProcate 1.10.0, we will support PFS on TLS connections, this
>>> requires a DH parameters file to be generated on each installation of
>>> the package.
>>
>> Why is forward secrecy with ECDHE not good enough? For that, you won't
>> need to generate DH parameters at all.
>>
>
> Both DH and ECDH are supported
>
> If the DH parameters are not present, it will still work with ECDH alone.
That should be sufficient and is more secure because the
ServerKeyExchange signature does not indicate if the hashed & signed
data is for DH or ECDH. :-(
> To maximize compatibility in a world of federated SIP though, it is
> useful to have both.
Are you sure? Finite-field DH used to be pretty widely disabled for
performance reasons.
--
Florian Weimer / Red Hat Product Security
More information about the packaging
mailing list