How to get "EVP_PKEY *dhpkey" from NID_X9_62_prime256v1.
Matt Caswell
matt at openssl.org
Fri Aug 27 08:00:41 UTC 2021
On 27/08/2021 08:47, Kumar Mishra, Sanjeev wrote:
> Hi All,
> I am upgrading the code from OpenSSL 1.0.1 to OpenSSL 3.0.
> I am getting compilation errors for deprecated functions and structure
> like "EC_KEY_new_by_curve_name()" , "SSL_CTX_set_tmp_ecdh()" and
> "EC_KEY"......etc.
>
> The code is like follows --
> -------
> -------
> EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
> SSL_CTX_set_tmp_ecdh(mrmIcbPtr -> sslServerCtx, ecdh);
> .........
> .........
The SSL_CTX_set_tmp_ecdh man page says this:
"SSL_CTX_set_tmp_ecdh() sets ECDH parameters to be used to be B<ecdh>.
The key is inherited by all B<ssl> objects created from B<ctx>.
This macro is deprecated in favor of L<SSL_CTX_set1_groups(3)>."
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_tmp_ecdh.html
So call SSL_CTX_set1_groups() instead:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html
Actually, even easier you can call SSL_CTX_set1_groups_list()
(documented on the same man page), which means you can just set the
group via a string:
SSL_CTX_set1_groups_list(mrmIcbPtr -> sslServerCtx, "P-256");
Where "P-256" is the string name associated with NID_X9_62_prime256v1.
Or your final alternative is to not doing anything at all, and simply
remove this code. In 3.0 you can specify multiple groups and they have
sensible defaults that are already set for you (which include X25519 and
P-256).
Matt
More information about the openssl-users
mailing list