Hi Rich,
Thanks for the reply. We are planning to use DHE_RSA based ciphers.
Regards
Jaya
On Wed, Dec 6, 2017 at 7:20 PM, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:
> You can re-use the keys, but then you get no forward secrecy, and sessions
> generated with one
Hi Michael,
Thanks for very detailed answers. This will surely help me to investigate
further.
Regards
Jaya
On Wed, Dec 6, 2017 at 7:37 PM, Michael Wojcik <
michael.woj...@microfocus.com> wrote:
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Salz, Rich via
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Salz, Rich via openssl-users
> Sent: Wednesday, December 06, 2017 08:50
> You can re-use the keys, but then you get no forward secrecy, and sessions
> generated with one connection are
> vulnerable to another.
If
You can re-use the keys, but then you get no forward secrecy, and sessions
generated with one connection are vulnerable to another.
Why are you using DH? Unless you have compelling reasons (interop with
legacy), you really should use ECDHE.
--
openssl-users mailing list
To unsubscribe:
For DHE_RSA, you first need a pair of RSA certificate/key for signing. And you
if want to use specific DH parameters, you can use the SSL_CTX_set_tmp_dh API,
there is documentation describing how to use this function.
DH parameter could be generated by OpenSSL in many ways, one of the common
