[openssl-users] How to enforce DH field size in the client?

Jeffrey Walton noloader at gmail.com
Mon Oct 5 15:55:36 UTC 2015

Hi Everyone,

Based on the docs for SSL_CTX_set_tmp_dh_callback(3), the callback is
supposed to be invoked for DH parameter selection. The docs also
avoid/fail to state its  a server only feature, so its not clear to me
if the client is able to use it.

Its appears SSL_CTX_set_tmp_dh_callback and/or SSL_set_tmp_dh_callback
are not invoked at the client when the temporary pubic key is
selected, so there does not appear to be a way to query the field size
and fail the connection.

ARe clients supposed to be informed of DH parameter selection via
SSL_CTX_set_tmp_dh_callback and/or SSL_set_tmp_dh_callback? Or is
there another method available?

At the client, how do we enforce minimum Diffie-Hellman field sizes?


More information about the openssl-users mailing list