[openssl-users] Diffie-Hellman Questions
rsalz at akamai.com
Tue May 24 17:08:38 UTC 2016
> 1) The wiki says don't use ADH, presumably because ADH provides
> encryption but not authentication and is exposed to man in the middle
> attacks. Is that the only reason?
Use ECDH, it's less expensive computationally.
> 2) Are the same encryption keys used every time with ADH?
Yes. That's the other BIG reason :) You really want ephemeral, and therefore ECDH
> 3) Is it possible to use ephemeral DH without using certificates? I was not
> able to get that to work.
Yes. This is "null" auth.
> 4) What is the best practice for establishing an anonymous encrypted
> channel using OpenSSL?
Postfix does this kind of thing, as does other SMTP software. Look around for 'opportunistic encryption' perhaps.
More information about the openssl-users