[openssl-users] how to set temporary EC Diffie-Hellman parameters

yordanos beyene yordanosb at gmail.com
Fri Sep 9 15:58:56 UTC 2016


I got my application to support openssl s_client connections using the
ephemeral ECDH cipher suites. I didn't initialize it properly.

Now I am looking at how to get my application accept openssl connections
from a client with multiple curves instead of just "NID_X9_62_prime256v1".
I appreciate any tips.
      EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);

Thanks!

Jordan.

On Thu, Sep 8, 2016 at 12:12 PM, yordanos beyene <yordanosb at gmail.com>
wrote:

> Hello,
>
> I appreciate if anyone can guide me how to set temporary EC Diffie-Hellman
> parameters to be able to accept SSL connections from a client
> using ephemeral ECDHE cipher.
>
> I have an ssl based application that can accept SSL connections. I can
> establish SSL connections from a client using RSA cipher ( eg AES128-SHA), but
> when I use the ephemeral EDHE ciphers (eg ECDHE-RSA-AES128-SHA), the SSL
> handshake fails.
>
> I have been googling to understand the issue for several hours, and it
> looks like I need to set temporary DH parameters.
>
> I added the following code right after SSL initialization and creating
> context in my application.
> ...
>    EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
>    ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
>    if (! ecdh)
>        error ();
>    if (1 != SSL_CTX_set_tmp_ecdh (session_cache_ctx, ecdh))
>       return -ENOMEM;
>    EC_KEY_free (ecdh);
> ...
>
> But it is still not working. I am not familiar with this area, and
> I greatly appreciate any help.
>
> I am running OpenSSL 1.0.1
>
> Jordan.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160909/165a1fff/attachment-0001.html>


More information about the openssl-users mailing list