[erlang-questions] SSL and hardcoded DH prime

Alexander Petrovsky askjuise@REDACTED
Fri Aug 24 10:29:51 CEST 2018


Oh, shame on me, I forget that it's not a random number, it's random prime,
so, you are absolutely right, it's not so fast. Thanks.

пт, 24 авг. 2018 г. в 10:48, Frank Muller <frank.muller.erl@REDACTED>:

> It’s not about that. Generating a 2048 DH can take a long time. And you
> said it’s fast and you want to make it real time.
>
> From official ssl doc
>> http://erlang.org/doc/man/ssl.html
>>
>> *{dh, public_key:der_encoded()}*
>>
>> The DER-encoded Diffie-Hellman parameters. If specified, it overrides
>> option dhfile.
>>
>> пт, 24 авг. 2018 г. в 6:11, Frank Muller <frank.muller.erl@REDACTED>:
>>
>>> How? Show us please!!!
>>>
>>> No, I can use dh option in Erlang and generate in des format DH prime
>>>> and DH generator. It’s very fast.
>>>>
>>>> чт, 23 авг. 2018 г. в 22:07, Paul Peregud <paulperegud@REDACTED>:
>>>>
>>>>> Its a long-ish process. But you can run it during installation or
>>>>> first run.
>>>>>
>>>>> $ time openssl dhparam -out dhparam.pem 2048
>>>>> ...
>>>>> real    0m3,623s
>>>>> user    0m3,612s
>>>>> sys    0m0,000s
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <
>>>>> askjuise@REDACTED> wrote:
>>>>>
>>>>>> Yeah, Ingela, thanks! About default value and dh, dhfile options I
>>>>>> know. The main question - is the any reasons don’t generate DH prime in
>>>>>> real-time?
>>>>>>
>>>>>> чт, 23 авг. 2018 г. в 20:12, Ingela Andin <ingela.andin@REDACTED>:
>>>>>>
>>>>>>> Hi!
>>>>>>>
>>>>>>> It is only the default value that is hard coded (a recommend value),
>>>>>>> you may configure your own parameters with dh or dhfile option.
>>>>>>>
>>>>>>> Regards Ingela
>>>>>>>
>>>>>>> Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <
>>>>>>> askjuise@REDACTED>:
>>>>>>>
>>>>>>>> Hello!
>>>>>>>>
>>>>>>>> We have stumble upon default DH prime (2048 bits) in Erlang when we
>>>>>>>> try to establish TLS session with cisco spa303 (VoIP hardphone)
>>>>>>>> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately,
>>>>>>>> this hardphone can work only with 1024 bit DH prime.
>>>>>>>>
>>>>>>>> I wonder, why Ingela hardcoded this DH prime -
>>>>>>>> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>>>>>>>>
>>>>>>>> In my synthetical tests, new DH prime generation is fast enough
>>>>>>>> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
>>>>>>>> iterations.
>>>>>>>>
>>>>>>>> Why Ingela has hardcoded this DH prime and is any reason why I
>>>>>>>> shouldn't generate DH prime in real-time?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Петровский Александр / Alexander Petrovsky,
>>>>>>>>
>>>>>>>> Skype: askjuise
>>>>>>>> Phone: +7 931 9877991
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> erlang-questions mailing list
>>>>>>>> erlang-questions@REDACTED
>>>>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>>>>
>>>>>>> --
>>>>>> Петровский Александр / Alexander Petrovsky,
>>>>>>
>>>>>> Skype: askjuise
>>>>>> Phone: +7 931 9877991
>>>>>>
>>>>>> _______________________________________________
>>>>>> erlang-questions mailing list
>>>>>> erlang-questions@REDACTED
>>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best regards,
>>>>> Paul Peregud
>>>>> +48602112091
>>>>>
>>>> --
>>>> Петровский Александр / Alexander Petrovsky,
>>>>
>>>> Skype: askjuise
>>>> Phone: +7 931 9877991
>>>>
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>> --
>> Петровский Александр / Alexander Petrovsky,
>>
>> Skype: askjuise
>> Phone: +7 931 9877991
>>
>>

-- 
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180824/4dc1038a/attachment.htm>


More information about the erlang-questions mailing list