Fwd: Requesting to share OpenSSL commands to increase G Pramaeter length in DHE Cipher.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Requesting to share OpenSSL commands to increase G Pramaeter length in DHE Cipher.

Vadivel P

Hi OpenSSL team,

We are looking for the command line option or any other way to increase the DHE G Parameter length to 256 bytes, by default it's 2 now, we need to modify it as 256 byte on the server side for our testing either by command line or with any other option.we need it for our local server bring up. Please support us.

Example: 

image.png

Regards,
Vadivel

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Requesting to share OpenSSL commands to increase G Pramaeter length in DHE Cipher.

Hubert Kario
On Wednesday, 3 March 2021 11:44:17 CET, Vadivel P wrote:
> Hi OpenSSL team,
>
> We are looking for the command line option or any other way to increase the
> DHE G Parameter length to 256 bytes, by default it's 2 now, we need to
> modify it as 256 byte on the server side for our testing either by command
> line or with any other option.we need it for our local server bring up.
> Please support us.

why?
size of g has no impact on security of the DHE key agreement what so
ever...

you really should use parameters defined in RFC 7919 and not some custom
ones
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Requesting to share OpenSSL commands to increase G Pramaeter length in DHE Cipher.

Kurt Roeckx
In reply to this post by Vadivel P
On Wed, Mar 03, 2021 at 04:14:17PM +0530, Vadivel P wrote:
> Hi OpenSSL team,
>
> We are looking for the command line option or any other way to increase the
> DHE G Parameter length to 256 bytes, by default it's 2 now, we need to
> modify it as 256 byte on the server side for our testing either by command
> line or with any other option.we need it for our local server bring up.
> Please support us.

The default generator is the value 2, not 2 bytes. And if you
really need to generate your own DHE keys, using the generator 2
makes perfect sense. Using a larger generator does not add any
security, it just makes it slower.

But I really suggest that you use standardized parameters like the
ones from RFC7919. Note that all the generators in that RFC also
use 2 as the generator.

OpenSSL has no support for generating safe primes with a 256
byte/2048 bit generator.