Deprecations

Dr Paul Dale paul.dale at oracle.com
Sat Feb 22 05:31:31 UTC 2020 

The added complexity was of some concern to me when doing the deprecations.

I suspect we’ll also encounter difficulties getting 100% equivalent behaviour via PKEY.  There are some pretty arcane options in some of these.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 22 Feb 2020, at 9:51 am, Kurt Roeckx <kurt at roeckx.be> wrote:
> 
> On Fri, Feb 21, 2020 at 11:27:55PM +0000, Matt Caswell wrote:
>> 
>> 
>> On 21/02/2020 23:18, Kurt Roeckx wrote:
>>> On Fri, Feb 21, 2020 at 11:00:10PM +0000, Matt Caswell wrote:
>>>> 
>>>> dhparam itself has been deprecated. For that reason we are not
>>>> attempting to rewrite it to use non-deprecated APIs. The informed
>>>> decision we have made about DH_check use in dhparam is to not build the
>>>> whole application in a no-deprecated build:
>>>> 
>>>>  *) The command line utilities dhparam, dsa, gendsa and dsaparam have been
>>>>     deprecated.  Instead use the pkeyparam, pkey, genpkey and pkeyparam
>>>>     programs respectively.
>>>>     [Paul Dale]
>>> 
>>> For some reason I seem to have missed various things.
>>> 
>>> But I think deprecating tools like dhparam, dsaparam in favour of
>>> genpkey is something that we should reconsider.
>> 
>> What is your reasoning?
>> 
>> (I just realised that what the CHANGES entry says is that
>> dhparam/dsaparam are deprecated in favour of pkeyparam - but actually I
>> think the equivalent functionality is more split between genpkey and
>> pkeyparam)
> 
> Some equivalants:
> openssl dhparam 2048
> openssl genpkey -genparam --algorithm DH -pkeyopt dh_paramgen_prime_len:2048
> 
> openssl dsaparam 2048
> openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048
> 
> 
> If you search internet, you will more than likely find the first
> ones. They are very easy. I have to look up at the manual page
> examples to know how to use genpkey.
> 
> 
> Kurt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20200222/96330140/attachment-0001.html>

More information about the openssl-project mailing list