[openssl-users] DSA with OpenSSL-1.1

pepone.onrez pepone.onrez at gmail.com
Fri Jul 1 14:53:19 UTC 2016

On 1 July 2016 at 16:40, Hanno Böck <hanno at hboeck.de> wrote:
> Hi,
> On Fri, 1 Jul 2016 15:29:53 +0200
> "pepone.onrez" <pepone.onrez at gmail.com> wrote:
>> After upgrade my software to use OpenSSL-1.1 one of the test is
>> failing, the test in question client and server are configured to use
>> DSA certificates. The server is configured to request a client
>> certificate.
> I can't answer your question, but I have one to you: Why do you use DSA?
> There was a discussion in the TLS working group a while ago about DSA
> support and there was overwhelming support to remove it in TLS 1.3.
> The rationale was basically that DSA in TLS is rarely used at all, is
> often used with insecure key sizes (1024 bit) and has a severe weakness
> when it comes to bad random numbers. On top of that it has basically no
> advantage over the much more widely used RSA. The original reason
> (in the early 90s) to use DSA over RSA were patent issues, but those are
> long expired.
> So my (and I think most others) impression is that DSA in TLS is as
> dead as it can be and probably the most sane move for OpenSSL would be
> to just remove it. Given that I'd like to know why you seem to have
> chosen to still use DSA.

That is part of a large test suite for a library, just trying to
ensure that everithg
still works with OpenSSL 1.1.0

> --
> Hanno Böck
> https://hboeck.de/
> mail/jabber: hanno at hboeck.de
> GPG: BBB51E42
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list