AnsweredAssumed Answered

DH parameters really should be checked for obvious problems

Question asked by Lily Wilson on Jan 21, 2015
Latest reply on Jan 22, 2015 by Lily Wilson

currently DH parameters don't seem to be checked for anything except the size of the "prime" (they're not even checked to make sure they're prime!), which can lead to ridiculously insecure sites still getting a good grade:

Qualys SSL Labs - Projects / SSL Server Test / xn--olrin-1ta.thinkindifferent.net

this site uses 3^2584 as the "prime" and (3^2584-1)/2 as the generator for DH, but still gets A+!

Outcomes