[Operators] IM Observatory and Diffie-Hellman parameters

Jonas Wielicki xmpp-operators at sotecware.net
Wed Nov 13 15:41:22 UTC 2013


On 13.11.2013 16:31, Fedor Brunner wrote:> This information is quite
important because during DHE key exchange a
> temporary key is generated. This temporary key is used for encryption of
> the communication and the server public RSA key is used ONLY for signing
> of this temporary key and NOT for encryption of the communication. The
> problem is that in many cases the temporary key much shorter than the
> server RSA key.
> 
> For example the server jabber.ccc.de uses 2048 bit RSA public key, but
> the length of the temporary key is only 1024 bit. The public key score
> is 90, cipher score is 90
> http://xmpp.net/result.php?domain=jabber.ccc.de&type=server

I agree that this information is important, however, there are
implementations which do not support more than 1024 bits of DH and are
unable to negotiate an TLS connection if the 1024 are exceeded, without
the app or the user knowing why it failed. This means, if you have
1024bit EDH and the client and server agree on negotiating EDH (likely
if the client prefers it, as it should), they're unable to connect.

This seems to affect primarily java and some versions of openssl, as
I've learnt on this list.

regards,
jw


More information about the Operators mailing list