SSL Server setup DH/ECDH

Chitrang Srivastava chitrang.srivastava at gmail.com
Tue Aug 6 10:21:23 UTC 2019


Yes , since in my case mostly browser will be used to access webserver
running on embedded platform.
Another question, since my webserver is running on embedded platform and it
has limited memory , I have disabled
ARIA/CAMELLIA  and few others, is that OK ? because I don't see any ciphers
suites which is used in practice.



On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <matt at openssl.org> wrote:

>
>
> On 06/08/2019 11:07, Chitrang Srivastava wrote:
> > Thanks Matt,
> >
> > So now I have, which i believe is enough ?
> >
> > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
> > SSL_OP_CIPHER_SERVER_PREFERENCE);
> > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
>
> This is fine although it obviously prevents connections from very old
> clients
> that don't support TLSv1.2. This might not be a problem for you depending
> on
> your situation.
>
> Matt
>
> >
> > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <matt at openssl.org
> > <mailto:matt at openssl.org>> wrote:
> >
> >
> >
> >     On 06/08/2019 09:42, Chitrang Srivastava wrote:
> >     > Hi,
> >     >
> >     > I am implementing HTTPs server using openssl 1.1.1b.
> >     > Is it mandatory to setup these API's while creating ssl context ?
> >     >
> >     > SSL_CTX_set_tmp_ecdh
> >     >
> >     > SSL_CTX_set_tmp_dh
> >
> >     By default OpenSSL will automatically use ECDH if appropriate and
> choose a
> >     suitable group so there is no need to call SSL_CTX_set_tmp_ecdh()
> unless you
> >     want more control over which specific group is used.
> >
> >     OpenSSL will not use DH unless you specifically configure it. If you
> want to
> >     make use of DH based ciphersuites then you must either call
> SSL_CTX_set_tmp_dh()
> >     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the
> former enables
> >     you to configure any arbitrary DH group that you choose. Calling the
> latter will
> >     enable the built-in DH groups.
> >
> >     It is not mandatory to call any of the above.
> >
> >     >
> >     > Also any suggestion what all options one should set while setting
> up
> >     server like
> >     > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
> >
> >     Don't use the protocol version specific options at all. Use
> >     SSL_CTX_set_min_proto_version() if you want to specify a minimum
> protocol
> >     version. SSLv2 is no longer supported at all. SSLv3 is compiled out
> by default.
> >
> >     Other options that are worth considering are SSL_OP_NO_RENEGOTIATION
> and
> >     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need
> the others
> >     unless there is a specific problem you are trying to solve.
> >
> >     Matt
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190806/25b4f36d/attachment.html>


More information about the openssl-users mailing list