Skip to content

SSL: upgrade the default DH parameters

We have been using as default DH parameters the 1024-bit MODP group. This is now considered insecure, and applications should use the 2048-bit at a minimum [1]. This commit therefore replaces the parameters with the 2048-bit MODP group from [2].

To double check the data, use openssl asn1parse to verify that the prime matches. For instance:

  1. put the encoded string in a encoded.txt file (c&p from the source, removing the double quotes)

  2. put the hexadecimal value of the 2048-bit group in a reference.txt file (c&p from [2])

  3. compare the output of openssl asn1parse with the reference. For instance like this:

    $ diff <(openssl asn1parse < encoded.txt | grep -m 1 INTEGER | perl -pe 's/.*://; s/\n//') <(perl -0777 -pe 's/\s//g' reference.txt) && echo OK OK

[1] https://datatracker.ietf.org/doc/html/rfc8247#section-2.4 [2] https://datatracker.ietf.org/doc/html/rfc3526#section-3

[ChangeLog][QtNetwork][QSslDiffieHellmanParameters] The default Diffie-Hellman parameters are now using the 2048-bit MODP group from RFC 3526.

Pick-to: 6.6 6.5 6.2 5.15 Change-Id: I47133cd78ba0e954b8f93a3da09fa2c760c9f7a8 Reviewed-by: Timur Pocheptsov timur.pocheptsov@qt.io (cherry picked from commit 3ec24e32)

Merge request reports