[openssl-users] Diffie-Hellman Questions

Salz, Rich rsalz at akamai.com
Tue May 24 17:08:38 UTC 2016

> 1) The wiki says don't use ADH, presumably because ADH provides
> encryption but not authentication and is exposed to man in the middle
> attacks. Is that the only reason?

Use ECDH, it's less expensive computationally.
> 2) Are the same encryption keys used every time with ADH?

Yes.  That's the other BIG reason :)  You really want ephemeral, and therefore ECDH

> 3) Is it possible to use ephemeral DH without using certificates?  I was not
> able to get that to work.

Yes.  This is "null" auth.
> 4) What is the best practice for establishing an anonymous encrypted
> channel using OpenSSL?

Postfix does this kind of thing, as does other SMTP software.  Look around for 'opportunistic encryption' perhaps.

More information about the openssl-users mailing list