On Wed, Aug 11, 2004, [EMAIL PROTECTED] wrote: > > Yes if you are trusting any certificate then you might as well use anon DH. > > > > Normally, for certificates, this is resolved by using a mutually acceptable > > certificate or CA certificate which have been exchanged by some secure means. > > > > Steve. > > First of all thanks for your suggestions, i'll keep them in mind. > How would i then use the anonymous DH public key algorithm? > (May it either be on the fly or from a file containing the public values.) > > Are there any functions for that in the openssl library that i can use? >
You need to supply a set of DH parameters. Since these can take some time to generate they are often generated in advance and read from a file or even hard coded in source. 'openssl dhparam' can be used for this. The function SSL_CTX_set_tmp_dh() among others can be used to use these DH parameters in an SSL_CTX structure. Finally an appropriate cipher string needs to be set. The string "ADH" is useful for this, for example "ADH:@STRENGTH" will just select anon DH ciphers sorted by strength. The s_server and s_client utilities can be used to try this out. They automatically set DH parameters (though new ones can be supplied too) and by using the -nocert option in s_server and an appropriate cipher string anon DH can be negotiated. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
