[openssl-users] A question DH parameter generation and usage
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Dec 6 18:21:14 UTC 2017
> On Dec 6, 2017, at 8:51 AM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
>
>
> Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be aware that the callback isn't invoked in a useful manner by OpenSSL. (It always asks for a 1024-bit group, unless an export cipher suite was selected, which should never happen.)
This is misleading. The callback does not really ask for a 1024-bit group,
rather it passes one of two key-size hints "512" for export ciphers and 1024
for non-export ciphers. Therefore, one can return any reasonable group size
instead of 1024 bits. See for example:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L227
where the "1024-bit" group returned by the tmp_dh callback is a 2048-bit group.
The text at:
http://www.postfix.org/FORWARD_SECRECY_README.html#dfn_fs
http://www.postfix.org/FORWARD_SECRECY_README.html#tls_fs
may be helpful to some users not familiar with forward secrecy in TLS.
> In fact, now that export ciphers have gone the way of the dodo, the best thing to do is probably just set a single group of your preferred size in all your SSL_CTX structures and forget about the callback.
Sure, provided one is sure that this will not lead to (DH) private key re-use.
In sufficiently recent OpenSSL releases single DH use is the default and IIRC
cannot be disabled. But older releases may more reliably avoid DH key re-use
when the group is provided via the tmp_dh callback.
--
Viktor.
More information about the openssl-users
mailing list