forked from mirrors/nixpkgs
b3d5ca8359
@Ekleog writes in https://github.com/NixOS/nixpkgs/pull/39526: > I think a default of 4096 is maybe too much? See certbot/certbot#4973; > Let's Encrypt supposedly know what they are doing and use a > pre-generated 2048-bit DH params (and using the same DH params as > others is quite bad, even compared to lower bit size, if I correctly > remember the attacks available -- because it increases by as much the > value of breaking the group). > Basically I don't have anything personal against 4096, but fear it may > re-start the arms race: people like having "more security" than their > distributions, and having NixOS already having more security than is > actually useful (I personally don't know whether a real-size quantum > computer will come before or after our being able to break 2048-bit > keys, let alone 3072-bit ones -- see wikipedia for some numbers). > So basically, I'd have set it to 3072 in order to both decrease build > time and avoid having people setting it to 8192 and complaining about > how slow things are, but that's just my opinion. :) While he suggests is 3072 I'm using 2048 now, because it's the default of "openssl dhparam". If users want to have a higher value, they can still change it. Signed-off-by: aszlig <aszlig@nix.build> |
||
---|---|---|
.. | ||
wrappers | ||
acme.nix | ||
acme.xml | ||
apparmor-suid.nix | ||
apparmor.nix | ||
audit.nix | ||
auditd.nix | ||
ca.nix | ||
chromium-suid-sandbox.nix | ||
dhparams.nix | ||
duosec.nix | ||
hidepid.nix | ||
hidepid.xml | ||
lock-kernel-modules.nix | ||
oath.nix | ||
pam.nix | ||
pam_mount.nix | ||
pam_usb.nix | ||
polkit.nix | ||
prey.nix | ||
rngd.nix | ||
rtkit.nix | ||
sudo.nix |