K 10
svn:author
V 6
iulius
K 8
svn:date
V 27
2019-05-31T22:39:22.943207Z
K 7
svn:log
V 879
nnrpd:  Adapt the length of DH parameters depending on security level

Remove hard-coded 512 and 1024-bit DH parameters to only use 
more secure DH parameters taken from a more recent RFC 7919.

When OpenSSL is configured with a security level beyond 1 (which is 
the case with Debian Buster for instance), shorter parameters might
not be accepted.  Negotiations for ciphersuites using DHE key exchange 
then fail.

From OpenSSL documentation:
"Previous versions of the callback used is_export and keylength
parameters to control parameter generation for export and non-export
cipher suites.  Modern servers that do not support export cipher suites
are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
the callback but ignore keylength and is_export and simply supply at
least 2048-bit parameters in the callback."

Thanks to Michael Baeuerle for the bug report.

END
