Viktor Dukhovni openssl-users at
Sat Feb 22 03:34:17 UTC 2020

On Fri, Feb 21, 2020 at 11:00:10PM +0000, Matt Caswell wrote:

> dhparam itself has been deprecated. For that reason we are not
> attempting to rewrite it to use non-deprecated APIs. The informed
> decision we have made about DH_check use in dhparam is to not build the
> whole application in a no-deprecated build:
>   *) The command line utilities dhparam, dsa, gendsa and dsaparam have been
>      deprecated.  Instead use the pkeyparam, pkey, genpkey and pkeyparam
>      programs respectively.
>      [Paul Dale]

Dropping "dhparam" is rather an incompatible change.  It is widely used,
and its replacemnt is much more complex, and does not appear in how-to
guides that explain how to generate DH parameters.  Whatever API is
used in "pkeyparam", needs to be inserted into dhparam without changing
its CLI.

The same applies to genrsa, ... and even though I'm sometimes masochist
enough to use "genpkey" (after checking the manpage again, or re-reading
my own script), it somehow has never managed to get to a point
where I can emit its various options from finger memory.


More information about the openssl-project mailing list