Project

General

Profile

Quastion about the Diffie-Hellman parameter of the built-in HTTPS server.

Added by Стойчо Стефанов Stoycho Stefanov about 10 years ago

Hi,

in the FAQ is shown how to use the built-in HTTPS server, and it works fine, but I don't know what to do with the temporary file containing random Diffie-Hellman parameters. Should I create a different one every time I start the server or it's irrelevant if I use the same DH-parameters? What will happen if I start two servers with the same certificate, private key and DH-parameter temp file, is there a security danger?

best regards,

Stoycho


Replies (5)

RE: Quastion about the Diffie-Hellman parameter of the built-in HTTPS server. - Added by Wim Dumon about 10 years ago

You should talk to a crypto-expert :)

See man ssl_ctx_set_tmp_dh, which has some useful information on this topic.

I'd love to hear an expert's opinion on this.

Wim.

RE: Quastion about the Diffie-Hellman parameter of the built-in HTTPS server. - Added by Thomas Suckow over 7 years ago

The example on

http://redmine.webtoolkit.eu/projects/wt/wiki/Frequently_Asked_Questions#Q-How-do-I-use-the-built-in-HTTPS-server-in-wthttpd

Is terribly, laughably insecure.

The key size should be at least 1024 but 2048 would be better.

https://weakdh.org/

Browsers are not even allowing 512 anymore.

RE: Quastion about the Diffie-Hellman parameter of the built-in HTTPS server. - Added by Thomas Suckow over 7 years ago

I also meant to say, you don't need to make a new one each time.

RE: Quastion about the Diffie-Hellman parameter of the built-in HTTPS server. - Added by Koen Deforche over 7 years ago

Thomas, good point. I've updated the example to go with the modern times.

RE: Quastion about the Diffie-Hellman parameter of the built-in HTTPS server. - Added by Стойчо Стефанов Stoycho Stefanov over 7 years ago

Thanks Thomas,

it's amazing that someone answers a question almost 3 years later. Thanks a lot!

    (1-5/5)