K 10
svn:author
V 6
iulius
K 8
svn:date
V 27
2019-04-27T09:45:36.857729Z
K 7
svn:log
V 830
nnrpd:  Use 4096-bit DH parameters by default

Remove hard-coded 512, 1024 and 2048-bit DH parameters to only use a 
more secure 4096-bit DH parameter.

When OpenSSL is configured with a security level beyond 1 (which is 
the case with Debian Buster for instance), shorter parameters smight
not accepted.  Negotiations for ciphersuites using DHE key exchange 
then fail.

From OpenSSL documentation:
"Previous versions of the callback used is_export and keylength
parameters to control parameter generation for export and non-export
cipher suites.  Modern servers that do not support export cipher suites
are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
the callback but ignore keylength and is_export and simply supply at
least 2048-bit parameters in the callback."

Thanks to Michael Baeuerle for the patch.

END
