Re: Setting up Diffie Hellman Ephemeral with OpenSSL

Thu, 16 Sep 1999 06:20:34 -0700 

Chris - I have to admit I really dont know.. We are starting out with
OpenSSL and have been advised that the SSL_DHE_DSS.. cipher suites are free
of patents and should therefore use them  rather than RSA suites. We were
also told the the 'ephemeral' would be best since the DH parameters are not
stored in the certificate which means we could use any certificate (rather
than a DH one).

As far as I can tell the our OpenSSL server is using whatever is in
server.pem - the default certificate for OpenSSL?

Our client is unauthenticated - its a Java applet running inside the applet
sandbox (which means it cannot read the local disk).

Would you concur that :-
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
are reasonable choices to avoid patent issues?

I am looking at the s_server.c code to see what we have to do to have
OpenSSL accept the DHE.. suites but its not immediately obvious..the
following in s_server appears to do something with DH but I have no idea
what...

#ifndef NO_DH
 /* EAY EAY EAY evil hack */
 dh=load_dh_param();
 if (dh != NULL)
  {
  BIO_printf(bio_s_out,"Setting temp DH parameters\n");
  }
 else
  {
  BIO_printf(bio_s_out,"Using default temp DH parameters\n");
  dh=get_dh512();
  }
 BIO_flush(bio_s_out);

 SSL_CTX_set_tmp_dh(ctx,dh);
 DH_free(dh);
#endif

Any help in this area greatly appreciated..
DM

>
> >Hi - we would like to use the following SSL cipher suites with OpenSSL =
> >:-
> >
> >SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> >SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> >
> >Can anyone help with how to setup OpenSSL to use these suites. When I =
> >send these in the client hello from the client I get "no common cipher =
> >suites" from the OpenSSL server.
>
> Are you using DSA certificates/parameters?
>
> --Chris
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to