Project

General

Profile

Actions

Bug #8582

closed

Ship RFC 7919-provided DH groups

Added by Anonymous over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Operating System
Target version:
Start date:
06/19/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Currently, pfSense ships DH groups at sizes 1024, 2048, and 4096, with no statement as to how/where/when these groups were generated. Current best practice is to ship and use DH groups from RFC 7919, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). The DH group values provided in this RFC have been audited for security, and are the safest values for end-users. 1024-bit groups are not provided, as this size is considered insufficient for security, so 1024-bit groups would have to be generated and shipped, but the RFC provides values for 2048, 3072, 4096, 6144, and 8192-bit groups.

Actions

Also available in: Atom PDF