[erlang-questions] SSL and hardcoded DH prime

Paul Peregud paulperegud@REDACTED
Thu Aug 23 21:07:24 CEST 2018 

Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <askjuise@REDACTED>
wrote:

> Yeah, Ingela, thanks! About default value and dh, dhfile options I know.
> The main question - is the any reasons don’t generate DH prime in real-time?
>
> чт, 23 авг. 2018 г. в 20:12, Ingela Andin <ingela.andin@REDACTED>:
>
>> Hi!
>>
>> It is only the default value that is hard coded (a recommend value), you
>> may configure your own parameters with dh or dhfile option.
>>
>> Regards Ingela
>>
>> Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <
>> askjuise@REDACTED>:
>>
>>> Hello!
>>>
>>> We have stumble upon default DH prime (2048 bits) in Erlang when we try
>>> to establish TLS session with cisco spa303 (VoIP hardphone)
>>> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately,
>>> this hardphone can work only with 1024 bit DH prime.
>>>
>>> I wonder, why Ingela hardcoded this DH prime -
>>> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>>>
>>> In my synthetical tests, new DH prime generation is fast enough
>>> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
>>> iterations.
>>>
>>> Why Ingela has hardcoded this DH prime and is any reason why I shouldn't
>>> generate DH prime in real-time?
>>>
>>> --
>>> Петровский Александр / Alexander Petrovsky,
>>>
>>> Skype: askjuise
>>> Phone: +7 931 9877991
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>> --
> Петровский Александр / Alexander Petrovsky,
>
> Skype: askjuise
> Phone: +7 931 9877991
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>


-- 
Best regards,
Paul Peregud
+48602112091
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180823/2b4a65be/attachment.htm>

More information about the erlang-questions mailing list