On 02/02/16 21:34, Rainer Jung wrote: > Hi there, > > reading the last advisory again, I noticed, that there's one logical > inconsistency. > > First: > > OpenSSL before 1.0.2f will reuse the key if: > ... > - Static DH ciphersuites are used. The key is part of the certificate > and so it will always reuse it. This is only supported in 1.0.2. > > > and then: > > It will not reuse the key for DHE ciphers suites if: > - SSL_OP_SINGLE_DH_USE is set > ... > > So what's the situation if both situations apply, static DH ciphersuites > are used and SSL_OP_SINGLE_DH_USE is set is set. Which of these is > stronger? Will the key be reused? Or is that combination impossible? It > doesn't seem to be clear to me from the wording in the advisory.
DH ciphersuites come in two forms: static DH and ephemeral DH (aka DHE). You can't have both at the same time. SSL_OP_SINGLE_DH_USE does not apply to static DH ciphersuites. Matt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
