[erlang-questions] SSL and hardcoded DH prime
Alexander Petrovsky
askjuise@REDACTED
Thu Aug 23 21:43:19 CEST 2018
No, I can use dh option in Erlang and generate in des format DH prime and
DH generator. It’s very fast.
чт, 23 авг. 2018 г. в 22:07, Paul Peregud <paulperegud@REDACTED>:
> Its a long-ish process. But you can run it during installation or first
> run.
>
> $ time openssl dhparam -out dhparam.pem 2048
> ...
> real 0m3,623s
> user 0m3,612s
> sys 0m0,000s
>
>
>
> On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <askjuise@REDACTED>
> wrote:
>
>> Yeah, Ingela, thanks! About default value and dh, dhfile options I know.
>> The main question - is the any reasons don’t generate DH prime in real-time?
>>
>> чт, 23 авг. 2018 г. в 20:12, Ingela Andin <ingela.andin@REDACTED>:
>>
>>> Hi!
>>>
>>> It is only the default value that is hard coded (a recommend value), you
>>> may configure your own parameters with dh or dhfile option.
>>>
>>> Regards Ingela
>>>
>>> Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <
>>> askjuise@REDACTED>:
>>>
>>>> Hello!
>>>>
>>>> We have stumble upon default DH prime (2048 bits) in Erlang when we try
>>>> to establish TLS session with cisco spa303 (VoIP hardphone)
>>>> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately,
>>>> this hardphone can work only with 1024 bit DH prime.
>>>>
>>>> I wonder, why Ingela hardcoded this DH prime -
>>>> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>>>>
>>>> In my synthetical tests, new DH prime generation is fast enough
>>>> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
>>>> iterations.
>>>>
>>>> Why Ingela has hardcoded this DH prime and is any reason why I
>>>> shouldn't generate DH prime in real-time?
>>>>
>>>> --
>>>> Петровский Александр / Alexander Petrovsky,
>>>>
>>>> Skype: askjuise
>>>> Phone: +7 931 9877991
>>>>
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>> --
>> Петровский Александр / Alexander Petrovsky,
>>
>> Skype: askjuise
>> Phone: +7 931 9877991
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
> --
> Best regards,
> Paul Peregud
> +48602112091
>
--
Петровский Александр / Alexander Petrovsky,
Skype: askjuise
Phone: +7 931 9877991
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180823/40398933/attachment.htm>
More information about the erlang-questions
mailing list