[openssl-users] [openssl-dev] A question DH parameter generation and usage

Paul Yang paulyang.inf at gmail.com
Wed Dec 6 07:13:09 UTC 2017

For DHE_RSA, you first need a pair of RSA certificate/key for signing. And you if want to use specific DH parameters, you can use the SSL_CTX_set_tmp_dh API, there is documentation describing how to use this function.

DH parameter could be generated by OpenSSL in many ways, one of the common way is by using the openssl-dhparam command line tool. Check the -help option of that command.

BTW: seems this email should be sent to openssl-users list only...

> On 6 Dec 2017, at 14:02, Jayalakshmi bhat <bhat.jayalakshmi at gmail.com> wrote:
> Hi,
> We are planning to use DHE_RSA TLS ciphers into our product. I have few questions on using DH parameter. We would like to use DH-2048.
> our product includes both TLS client and server applications. Thus any time there will be considerable number of active connectioons.
> I believe we can use same DH parameter for all the server connections. Is my understanding correct? Is there any risk in using same parameter for all the server connections.
> Another question is what is guidelines/document should be followed to derive DH parameter.
> Any input is appreciated.
> Thanks and Regards
> Jayalakshmi.
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171206/9025c5ce/attachment.sig>

More information about the openssl-users mailing list