ssl_dhparam and recommended-private-length
timo2
nginx-forum at nginx.us
Mon Jan 3 15:05:13 MSK 2011
Well, it seems that openssl can handle it by itself if the recommended
exponent length is in the pem file. Nginx uses openssl routines to
decode PEM file in ngx_ssl_dhparam routine. So the recommended exponent
length should be taken into account. Can anyone more experienced confirm
that?
However, the default values (hardcoded in nginx source) are 1024 bit
long safe prime p and generator g=2. NIST recommends to use at least
2048 bits long primes with at least 224-bit prime order subgroup
starting from 1 January 2011 :) Does using any 2048 group from RFC 5114
as a default one make more sense?
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,163037,163078#msg-163078
More information about the nginx
mailing list