Date: Mon, 03 Feb 2020 12:34:53 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 243724] www/pound: Use -dsaparam for openssl dhparam to cut build time Message-ID: <bug-243724-7788-ttTkkHufnz@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-243724-7788@https.bugs.freebsd.org/bugzilla/> References: <bug-243724-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D243724 --- Comment #4 from Eirik Oeverby <ltning-freebsd@anduin.net> --- (In reply to Zeus Panchenko from comment #3) It's not terribly obvious (in fact it might be outright wrong), and anyone relying on params generated at compile time on the FreeBSD build cluster are not going to care anyway. We build our packages in-house and pound tends to= get rebuilt quite often due to other dependencies. See https://security.stackexchange.com/questions/42415/openvpn-dhparam for = an excellent discussion about this - usual caveats about trusting stackexchange obviously apply; I'm referring to it because it's easily-digestable information. Basic takeaways: - Not using -dsaparam offers no meaningful security benefit - Using -dsaparam has no appreciable negative side effects (performance is mentioned, but that's mostly theoretical) - Using different primes (dhparam) than the rest of the world is a good th= ing All I'm asking for is a dramatic reduction in compile time (especially with system defaults of large primes) in exchange for zero reduction in security= . :) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-243724-7788-ttTkkHufnz>