Dr Stephen Henson wrote:
>
> Deva Seetharam wrote:
> >
> > Hi
> > I am trying to use
> > Kx=DH Au=DH Enc=3Des Md=SHA1.
> >
> > For a DOMESTIC(USA) application,we are trying
> > to use DH for both key exchange and authentication,
> > 3Des for cipher and SHA1 for message digests.
> >
> > So, I tried this:
> > openssl ciphers -v
> > "!RSA:!EXP:!aRSA:!aNULL:kEDH:aDH:3DES:SHA1"
> >
> > and I get the output:
> > EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
> > EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
> >
> > Does it mean that I can't use DH for authentication?
>
> No you can't use DH for authentication. For that you need DH
> certificates which OpenSSL doesn't support.
>
One more point: since you can't use DH for signing the certificates
would still need to be signed with another algorithm such as DSA or RSA.
So you'd still need something like DSA (DSS) as well even if OpenSSL did
support DH certificates.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
