nixos/dhparams: Set default bit size to 2048
@Ekleog writes in https://github.com/NixOS/nixpkgs/pull/39526: > I think a default of 4096 is maybe too much? See certbot/certbot#4973; > Let's Encrypt supposedly know what they are doing and use a > pre-generated 2048-bit DH params (and using the same DH params as > others is quite bad, even compared to lower bit size, if I correctly > remember the attacks available -- because it increases by as much the > value of breaking the group). > Basically I don't have anything personal against 4096, but fear it may > re-start the arms race: people like having "more security" than their > distributions, and having NixOS already having more security than is > actually useful (I personally don't know whether a real-size quantum > computer will come before or after our being able to break 2048-bit > keys, let alone 3072-bit ones -- see wikipedia for some numbers). > So basically, I'd have set it to 3072 in order to both decrease build > time and avoid having people setting it to 8192 and complaining about > how slow things are, but that's just my opinion. :) While he suggests is 3072 I'm using 2048 now, because it's the default of "openssl dhparam". If users want to have a higher value, they can still change it. Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig
parent
ce87773867
commit
b3d5ca8359
@ -10,7 +10,7 @@ let
|
||||
name = "bits";
|
||||
description = "integer of at least 16 bits";
|
||||
};
|
||||
default = 4096;
|
||||
default = 2048;
|
||||
description = ''
|
||||
The bit size for the prime that is used during a Diffie-Hellman
|
||||
key exchange.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user