Ssl_dhparam and recommended-private-length


Nginx offers a possibility to import DH parameters (prime p and
generator g) from external file. The parameters (p and g) have to be
generated with “openssl dpharam.” In the default setting, openssl
calculates strong primes and uses either 2 or 5 as generator. The
private exponent in modular exponentiation is then very long, its bit
representation is comparable in length to the prime modulus, e.g. 2047
bits with 2048 bits long modulus. However, there is an extra option in
openssl dhparam to generate DSA type parameters for Diffie-Hellman key
exchange. The main advantage is that the recommended exponent length is
much shorter, e.g. 224 or 256 bits with 2048 bits long modulus. The
length of the exponent has direct impact on computational complexity
because it determines the number of multiplications and squarings in
modular exponentiation. For example, one could go down from 2048
multiplications and squarings to 256 or 224.

At the moment, nginx passes only p and g parameters to SSL. It would be
nice to pass also the recommended exponent length to openssl via
dh->length provided that the recommended-private-length is present in
pem file. For the recommended-private-length parameter to be present in
PEM file, the DH parameters have to be generated with “openssl dhparam

Posted at Nginx Forum:

Well, it seems that openssl can handle it by itself if the recommended
exponent length is in the pem file. Nginx uses openssl routines to
decode PEM file in ngx_ssl_dhparam routine. So the recommended exponent
length should be taken into account. Can anyone more experienced confirm

However, the default values (hardcoded in nginx source) are 1024 bit
long safe prime p and generator g=2. NIST recommends to use at least
2048 bits long primes with at least 224-bit prime order subgroup
starting from 1 January 2011 :slight_smile: Does using any 2048 group from RFC 5114
as a default one make more sense?

Posted at Nginx Forum: