The current hardcoded EDH parameter fallback use the old SKIP primes, for which
the source disappeared from the web a long time ago. Referencing a known dead
source seems a bit silly, so I think we should either switch to a non-dead
source of MODP primes or use an archive.org link for SKIP. Personally I prefer
the former.
This was touched upon, but never really discussed AFAICT, back when then EDH
parameters were reworked a few years ago. Instead of replacing with custom
ones, as suggested in [1] it we might as well replace with standardized ones as
this is a fallback. Custom ones wont make it more secure, just add more work
for the project. The attached patch replace the SKIP prime with the 2048 bit
MODP group from RFC 3526, which is the same change that OpenSSL did a few years
back [2].
cheers ./daniel
[1] https://www.postgresql.org/message-id/54f44984-2f09-8744-927f-140a90c379dc%40ohmu.fi
[2] https://github.com/openssl/openssl/commit/fb015ca6f05e09b11a3932f89d25bae697c8af1e