Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
int/modern misreport insufficient DHE/ECC bits for PFS #119
My system is configured to use the P-384 curve rather than P-256, like so:
prio ciphersuite protocols pfs curves
In this config, I get this output in analyze.py:
This appears to be because intermediate and modern both set the "must_match" flag when calling has_good_pfs(), which means they require exactly those 2 bit levels (2048 for DHE, 256 for ECC), or will complain.
"old" works fine- it specifies must_match=True as well, but it also recommends specific values to use for maximum compatibility, so this seems reasonable.
I have a similar problem.
I looked at the code and saw that it was checking that the size of dhparam should be the same as the size of the RSA key.
I'm not sure this is the right logic. At least ssllabs does not find anything wrong with this combination.
Is it still a bug or not?