Can we disable diffie-hellman-group-exchange-sha1 by default?
Darren Tucker
dtucker at dtucker.net
Fri Feb 15 16:28:17 AEDT 2019
On Fri, 15 Feb 2019 at 16:00, Yegor Ievlev <koops1997 at gmail.com> wrote:
> I don't think there is any point to generate so many moduli. Actually,
> 3 moduli of sizes 2048, 3072 and 4096 seem like a sane choice.
NIST SP 800-57 Part 1, on which the current group size selection code
is based, puts a 4k group at a little over 128 bits of security. This
is why we generate larger groups (and request them, when using 192 and
256 bit ciphers).
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list