Re: [openssl-users] A question DH parameter generation and usage

2017-12-07 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm > Sent: Thursday, December 07, 2017 01:44 > > > Actually in some of my code, I have found that the callback can > still be useful by examining the SSL session argument to > heuristically identify likely

Re: [openssl-users] A question DH parameter generation and usage

2017-12-06 Thread Jakob Bohm
On 06/12/2017 20:25, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Wednesday, December 06, 2017 13:21 On Dec 6, 2017, at 8:51 AM, Michael Wojcik wrote: Note: If you use OpenSSL 1.0.x

Re: [openssl-users] A question DH parameter generation and usage

2017-12-06 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Wednesday, December 06, 2017 13:21 > > > On Dec 6, 2017, at 8:51 AM, Michael Wojcik > wrote: > > > > > > Note: If you use OpenSSL 1.0.x and you use the DH

Re: [openssl-users] A question DH parameter generation and usage

2017-12-06 Thread Viktor Dukhovni
> On Dec 6, 2017, at 8:51 AM, Michael Wojcik > wrote: > > > Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be > aware that the callback isn't invoked in a useful manner by OpenSSL. (It > always asks for a 1024-bit group, unless an

Re: [openssl-users] A question DH parameter generation and usage

2017-12-06 Thread Michael Wojcik
For TLSv1.3, servers are no longer allowed to specify arbitrary DH groups (for finite-field or EC DH). They must use one of the named groups. So for 1.3, there's no point in generating your own groups; conforming implementations can't use them. For finite-field DH, those are the groups

Re: [openssl-users] A question DH parameter generation and usage

2017-12-06 Thread Jayalakshmi bhat
Hi Jakob and Paul, Thank you so much for the reply. We have the RSA certificates. I wanted to understand how generally DH parameters are generated. Thanks for the detailed answers. Regards Jayalakshmi On Wed, Dec 6, 2017 at 12:48 AM, Jakob Bohm wrote: > On 06/12/2017

Re: [openssl-users] A question DH parameter generation and usage

2017-12-05 Thread Jakob Bohm
On 06/12/2017 07:02, Jayalakshmi bhat wrote: Hi, We are planning to use DHE_RSA TLS ciphers into our product. I have few questions on using DH parameter. We would like to use DH-2048. our product includes both TLS client and server applications. Thus any time there will be considerable

[openssl-users] A question DH parameter generation and usage

2017-12-05 Thread Jayalakshmi bhat
Hi, We are planning to use DHE_RSA TLS ciphers into our product. I have few questions on using DH parameter. We would like to use DH-2048. our product includes both TLS client and server applications. Thus any time there will be considerable number of active connectioons. I believe we can use