[erlang-questions] SSL and hardcoded DH prime

Fri Aug 24 10:33:43 CEST 2018

No problem, thanks!

Oh, shame on me, I forget that it's not a random number, it's random prime,
> so, you are absolutely right, it's not so fast. Thanks.
>
> пт, 24 авг. 2018 г. в 10:48, Frank Muller <frank.muller.erl@REDACTED>:
>
>> It’s not about that. Generating a 2048 DH can take a long time. And you
>> said it’s fast and you want to make it real time.
>>
>> From official ssl doc
>>> http://erlang.org/doc/man/ssl.html
>>>
>>> *{dh, public_key:der_encoded()}*
>>>
>>> The DER-encoded Diffie-Hellman parameters. If specified, it overrides
>>> option dhfile.
>>>
>>> пт, 24 авг. 2018 г. в 6:11, Frank Muller <frank.muller.erl@REDACTED>:
>>>
>>>> How? Show us please!!!
>>>>
>>>> No, I can use dh option in Erlang and generate in des format DH prime
>>>>> and DH generator. It’s very fast.
>>>>>
>>>>> чт, 23 авг. 2018 г. в 22:07, Paul Peregud <paulperegud@REDACTED>:
>>>>>
>>>>>> Its a long-ish process. But you can run it during installation or
>>>>>> first run.
>>>>>>
>>>>>> $ time openssl dhparam -out dhparam.pem 2048
>>>>>> ...
>>>>>> real    0m3,623s
>>>>>> user    0m3,612s
>>>>>> sys    0m0,000s
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <
>>>>>> askjuise@REDACTED> wrote:
>>>>>>
>>>>>>> Yeah, Ingela, thanks! About default value and dh, dhfile options I
>>>>>>> know. The main question - is the any reasons don’t generate DH prime in
>>>>>>> real-time?
>>>>>>>
>>>>>>> чт, 23 авг. 2018 г. в 20:12, Ingela Andin <ingela.andin@REDACTED>:
>>>>>>>
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>> It is only the default value that is hard coded (a recommend
>>>>>>>> value), you may configure your own parameters with dh or dhfile option.
>>>>>>>>
>>>>>>>> Regards Ingela
>>>>>>>>
>>>>>>>> Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <
>>>>>>>> askjuise@REDACTED>:
>>>>>>>>
>>>>>>>>> Hello!
>>>>>>>>>
>>>>>>>>> We have stumble upon default DH prime (2048 bits) in Erlang when
>>>>>>>>> we try to establish TLS session with cisco spa303 (VoIP hardphone)
>>>>>>>>> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately,
>>>>>>>>> this hardphone can work only with 1024 bit DH prime.
>>>>>>>>>
>>>>>>>>> I wonder, why Ingela hardcoded this DH prime -
>>>>>>>>> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>>>>>>>>>
>>>>>>>>> In my synthetical tests, new DH prime generation is fast enough
>>>>>>>>> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
>>>>>>>>> iterations.
>>>>>>>>>
>>>>>>>>> Why Ingela has hardcoded this DH prime and is any reason why I
>>>>>>>>> shouldn't generate DH prime in real-time?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Петровский Александр / Alexander Petrovsky,
>>>>>>>>>
>>>>>>>>> Skype: askjuise
>>>>>>>>> Phone: +7 931 9877991
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> erlang-questions mailing list
>>>>>>>>> erlang-questions@REDACTED
>>>>>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>>>>>
>>>>>>>> --
>>>>>>> Петровский Александр / Alexander Petrovsky,
>>>>>>>
>>>>>>> Skype: askjuise
>>>>>>> Phone: +7 931 9877991
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> erlang-questions mailing list
>>>>>>> erlang-questions@REDACTED
>>>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Best regards,
>>>>>> Paul Peregud
>>>>>> +48602112091
>>>>>>
>>>>> --
>>>>> Петровский Александр / Alexander Petrovsky,
>>>>>
>>>>> Skype: askjuise
>>>>> Phone: +7 931 9877991
>>>>>
>>>>> _______________________________________________
>>>>> erlang-questions mailing list
>>>>> erlang-questions@REDACTED
>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>
>>>> --
>>> Петровский Александр / Alexander Petrovsky,
>>>
>>> Skype: askjuise
>>> Phone: +7 931 9877991
>>>
>>>
>
> --
> Петровский Александр / Alexander Petrovsky,
>
> Skype: askjuise
> Phone: +7 931 9877991
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180824/d90f7187/attachment.htm>