On 09/16/99, David Murphy said:
>Chris - I have to admit I really dont know.. We are starting out with
>OpenSSL and have been advised that the SSL_DHE_DSS.. cipher suites are free
>of patents and should therefore use them rather than RSA suites. We were
>also told the the 'ephemeral' would be best since the DH parameters are not
>stored in the certificate which means we could use any certificate (rather
>than a DH one).
Yes, this is the case.
>As far as I can tell the our OpenSSL server is using whatever is in
>server.pem - the default certificate for OpenSSL?
Ah see, the default server.pem is an RSA type certificate, and hence, it
won't work with EDH/DSS.
>Would you concur that :-
>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>are reasonable choices to avoid patent issues?
Yep, I can't see any problems there.
>I am looking at the s_server.c code to see what we have to do to have
>OpenSSL accept the DHE.. suites but its not immediately obvious..the
>following in s_server appears to do something with DH but I have no idea
>what...
Well, I think the only thing you're missing is that you need to create a
DSA certificate and parameters, and use those instead of the RSA counterparts.
--Chris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
