[Bug 243724] www/pound: Use -dsaparam for openssl dhparam to cut build time
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Feb 3 12:34:53 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243724
--- Comment #4 from Eirik Oeverby <ltning-freebsd at anduin.net> ---
(In reply to Zeus Panchenko from comment #3)
It's not terribly obvious (in fact it might be outright wrong), and anyone
relying on params generated at compile time on the FreeBSD build cluster are
not going to care anyway. We build our packages in-house and pound tends to get
rebuilt quite often due to other dependencies.
See https://security.stackexchange.com/questions/42415/openvpn-dhparam for an
excellent discussion about this - usual caveats about trusting stackexchange
obviously apply; I'm referring to it because it's easily-digestable
information.
Basic takeaways:
- Not using -dsaparam offers no meaningful security benefit
- Using -dsaparam has no appreciable negative side effects (performance is
mentioned, but that's mostly theoretical)
- Using different primes (dhparam) than the rest of the world is a good thing
All I'm asking for is a dramatic reduction in compile time (especially with
system defaults of large primes) in exchange for zero reduction in security. :)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list