 |
 |
> Is this really necessary if we link to OpenSSL 1.1 on CentOS 7? No -- but replacing all clients is not an option. For example, we cannot ask experiments to stop using the Run 2 / 3 releases and replace them. > I say this because I have no idea what the security implications are by making this compatible with OpenSSL 1.0.1 which is known to be not very secure You can read through the OpenSSL ticket for why they made the change. The existing DH code we use leaks a single bit of the session key. Mind you, the existing DH code we use also leaks _all_ bits of the session key because 512 bit DH was broken in the 1990's. > That way it's easy to get back to a state where fixed DH parameters need not be used Why? Fixed DH parameters are done everywhere, on almost every webserver on the planet and IPSec. I don't understand the emphasis on dynamically generating the DH parameters when there's no strong cryptographic motivation or risk reduction. -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/2026#issuecomment-1578910456 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1