On Tue, Aug 05, 2003, Austin Krauss wrote: > Reading the cipher man page off the web details an interesting note about DH > certificates: " The non-ephemeral DH modes are currently unimplemented in > OpenSSL because there is no support for DH certificates. " > > My question is this, why are some DH cipher suites unimplemented but the AES > ones are implemented? For example: SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA is > listed as "Not implemented". But, TLS_DH_DSS_WITH_AES_128_CBC_SHA is > implemented? >
It might be listed in the cipher list but there's no DH certificate support for it. > Also, if OpenSSL supports DH key exchange (as it looks like it has API > functions to generate DH keys), why are DH certificates unsupported? I take > it DH certificates aren't in wide use? > That's an understatment. The only examples of DH certificates I've seen are in the S/MIME v3 examples draft and those are X9.42 DH as opposed to PKCS#3 DH. I know of no CAs that will issue DH certificates and there are various issues with creating PKCS#10 certificate requests since you can't directly use DH to sign them. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
