[openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

Bharathi Prasad barati.j.prasad at gmail.com
Thu Jan 11 09:35:41 UTC 2018


Hello,

I want to use static Diffie Hellman key exchange with RSA authentication
(DH_RSA) in my application.

I am currently using OpenSSL version 1.0.2n. I understand that from version
1.0.2 openSSL supports fixed DH.

Here is what I have tried so far.

Trial 1: I created DH server and client certificates as described in demo
script in master branch demos/certs/mkcerts.sh.
 I need a certificate in PKCS12 file to import into my application. Since DH
certificate do not have private key I used pkcs12 -nokeys option. This
approach failed when I tried to read the certificate from my store.


Trial 2.  I tried to set DH certificates with SSL_CTX_use_certificate_file()
in the client and server applications.
After loading the certificate into my ssl context what should I do?

Trial 3. I came across some articles where it was suggested that for static
DH key exchange append DH parameters to the server certificate. So I
appended my DH parameters (2048 key size) to my server certificate and
created a pkcs12 file.

Import certificate worked however when I tried to read back the certificate
from store into x509 object I was unable to retrieve the DH parameters.

I could not find a way to retrieve my DH parameters from the server
certificate.

Trial 4: I placed DH parameter file in my project folder and read the
parameters using PEM_read_DHparams(). Then I tried to create DH key with
DH_generate_key();

I could not call DH_compute_key as I do not have peer certificate. This
configuration is done before I call ssl_connect. So my SSL object is NULL at
this point of time.

After this I do not know how to proceed.

I cannot use SSL_CTX_set_tmp_dh as this api is used for ephemeral Diffie
Hellman key exchange.

Please let me know where I am going wrong. I need to enable static DH in my
application.

Regards
Bharathi 



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html


More information about the openssl-users mailing list