Use standard Diffie-Hellman parameters
problem
Currently it's recommended to generate own set of DH parameters for Gajim. But probably most user will ignore this warning, therefor it's better to provide safe default DH parameters.
analysis
The current parameters in data/other/dh4096.pem have been generated with OpenSSL. But this generation process is based on random numbers and can't be reproduced.
enhancement recommendation
It's better to use the 4096-bit MODP Group from RFC 3526 as default DH parameters. The generation of this group is described in RFC 2412 APPENDIX E
The OpenSSL command dhparam -check
will write a warning
$ openssl dhparam -in dh4096.pem -noout -check
the g value is not a generator
This is by design of the OpenSSL checker and IETF MODP Group. Comment from Stack Overflow Actually, there is no major difference between p≡23 (mod 24) vs p≡11 (mod 24); any minor difference boils down to "do you prefer the DH shared secret to be limited to half the possible values; or do you prefer to leak a bit of the secret exponents?". OpenSSL prefers to leak one bit; the RFC 3526 designers decided they preferred to limit the possible values.
https://crypto.stackexchange.com/questions/12961/diffie-hellman-parameter-check-when-g-2-must-p-mod-24-11 User poncho: https://crypto.stackexchange.com/users/452/poncho