[erlang-questions] SSL and hardcoded DH prime

Ingela Andin ingela.andin@REDACTED
Thu Aug 23 19:12:18 CEST 2018


Hi!

It is only the default value that is hard coded (a recommend value), you
may configure your own parameters with dh or dhfile option.

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <askjuise@REDACTED
>:

> Hello!
>
> We have stumble upon default DH prime (2048 bits) in Erlang when we try to
> establish TLS session with cisco spa303 (VoIP hardphone)
> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately,
> this hardphone can work only with 1024 bit DH prime.
>
> I wonder, why Ingela hardcoded this DH prime -
> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>
> In my synthetical tests, new DH prime generation is fast enough
> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
> iterations.
>
> Why Ingela has hardcoded this DH prime and is any reason why I shouldn't
> generate DH prime in real-time?
>
> --
> Петровский Александр / Alexander Petrovsky,
>
> Skype: askjuise
> Phone: +7 931 9877991
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180823/b638dff1/attachment.htm>


More information about the erlang-questions mailing list