And what about SSH?
And what about SSH?
Posted May 24, 2015 9:35 UTC (Sun) by reubenhwk (guest, #75803)In reply to: And what about SSH? by wahern
Parent article: Another crypto downgrade attack: Logjam
generating a new DH* in OpenSSL can be very slow, especially 1024+ bits. It's not something you really want to do on startup. Better to read the p & g params from a file, then fork off a new process to generate new p & g in the background then write them out when done...
Posted May 27, 2015 17:40 UTC (Wed)
by flussence (guest, #85566)
[Link]
And what about SSH?
Something seems off here: `openssl dhparam 3072` takes 3-4 minutes for me on a fairly high end Intel server CPU, which is in line with what you said, but the gnutls equivalent `certtool --generate-dh-params --sec-param=high` takes 1-2 *seconds*.