On Tue Oct 06 13:27:17 2015, [email protected] wrote:
>
> Please update the docs to make it clear they are server-only
> functions. It might be helpful to tell users there are currently no
> client-based APIs they can use to enforce an DH minimum.
>
Well there is in the master branch through security levels and a custom
callback (if the supplied levels don't meet your needs). Currently the callback
operation is undocumented: that will be fixed.
For other branches.. there *is* a way to limit DH parameters globally using a
custom DH method but it's a bit messy. I've attached an example.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
/* Custom DH method. Intercept compute_key calls and return an error if
* the prime 'p' is too small. Otherwise continue
*/
static DH_METHOD dhmeth;
static int (*old_compute_key)(unsigned char *key,const BIGNUM *pub_key,DH *dh);
static int dh_new_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh)
{
if (BN_num_bits(dh->p) < 1024)
{
/* Most appropriate error that exists on all versions of OpenSSL */
DHerr(DH_F_COMPUTE_KEY, DH_R_INVALID_PUBKEY);
return 0;
}
return old_compute_key(key, pub_key, dh);
}
static void init_custom_dh(void)
{
const DH_METHOD *dhold;
dhold = DH_get_default_method();
dhmeth = *dhold;
old_compute_key = dhold->compute_key;
dhmeth.compute_key = dh_new_compute_key;
DH_set_default_method(&dhmeth);
}
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
