Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

[Hubert Kario <hkario@redhat.com>]

On Sunday 26 October 2014 09:11:09 Henrick Hellström wrote:
> On 2014-10-26 08:09, Nikos Mavrogiannopoulos wrote:
> > Note also, that the current approach will simplify a lot an implementation
> > that doesn't want to keep the old DHE key exchange with arbitrary groups
> > (and unlike the other key exchanges in TLS, DHE was the most problematic
> > compatibility-wise so I guess many small implementations would be more
> > than happy to drop it).
> 
> I don't know about compatibility issues, but rather see a security issue
> that SSL 3.0 up to TLS 1.2 didn't explicitly require the DHE parameters
> to have a bit size greater than or equal to the certificate public key.
> I don't know how common it is for clients that offer DHE cipher suites
> to be able to use the server certificate key for signature verification,
> but unable to compute a DHE handshake using integers of a comparable
> size. I doesn't seem reasonable to expect this to be a problem of such
> magnitude, that the standards should keep an acceptance for low(er)
> security (than necessary) in order to keep interoperability with such
> clients.

That's the case for nearly all implementations of Java. JRE before 1.7 support 
at most 1024 bit DHE, while will support 2048 or 3072 bit RSA just fine.
1.8 only increased the limit to (IIRC) 2048 bit for DHE.

-- 
Regards,
Hubert Kario