On 2020-02-28 03:37, Salz, Rich via openssl-users wrote:
> *>*Per section Supported Groups in RFC 8446 , FFDHE groups could be
> I was wrong, sorry for the distraction.
> As others have pointed out, it will be in the next (3.0) release.
Note that the group identifiers for the hardwired DH groups were also
present in TLS 1.2, though it is generally safer to use random groups
not shared with other hosts.
The RFC that introduced these groups also added crazy rules that
signaling support for those groups should disable general FFDH
support, making implementation for TLS 1.2 inadvisable.
With the removal of general FFDH from TLS 1.3, it has now become
advisable to implement for TLS 1.3 session but ignore for TLS 1.2
and below sessions, as if not implemented for those, at least as a
default-on compatibility option.
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded