Re: [TLS] Sending Custom DHE Parameters in TLS 1.3

Hanno Böck <> Tue, 13 October 2020 06:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF50F3A0EA1 for <>; Mon, 12 Oct 2020 23:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NViZAT-le_A2 for <>; Mon, 12 Oct 2020 23:49:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E213E3A0E9D for <>; Mon, 12 Oct 2020 23:49:42 -0700 (PDT)
Received: from computer ([2a02:8109:83c0:5eee:a45a:3e64:5f8f:6786]) (AUTH: PLAIN, SSL: TLSv1.3, 256bits, TLS_AES_256_GCM_SHA384) by with ESMTPSA id 0000000000000091.000000005F854E03.000076CC; Tue, 13 Oct 2020 08:49:39 +0200
Date: Tue, 13 Oct 2020 08:49:39 +0200
From: Hanno Böck <>
Message-ID: <20201013084939.17572673@computer>
In-Reply-To: <>
References: <>
X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Sending Custom DHE Parameters in TLS 1.3
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Oct 2020 06:49:45 -0000


There was a reason custom DH parameters were removed.
Custom DH parameters were the source of plenty of problems.

I suggest reading:

There's also a more general theme I think what we have learned over
Moving parts in crypto protocols are bad, simplicity is good. Fix as
much as you can, avoid negotiating stuff.

This is not talked about that much explicitly, but it is a major change
of how crypto protocols were designed in the past (i.e. TLS 1.2 times)
where it was often considered desirable to add as much flexibility as

(Also FWIW the relevance of DH is pretty small these days. I think the
largest web clients simply don't support it at all.)

Hanno Böck