[openssl-users] A question DH parameter generation and usage

Viktor Dukhovni openssl-users at dukhovni.org
Wed Dec 6 18:21:14 UTC 2017

> On Dec 6, 2017, at 8:51 AM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
> Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be aware that the callback isn't invoked in a useful manner by OpenSSL. (It always asks for a 1024-bit group, unless an export cipher suite was selected, which should never happen.)

This is misleading.  The callback does not really ask for a 1024-bit group,
rather it passes one of two key-size hints "512" for export ciphers and 1024
for non-export ciphers.  Therefore, one can return any reasonable group size
instead of 1024 bits.  See for example:


where the "1024-bit" group returned by the tmp_dh callback is a 2048-bit group.

The text at:


may be helpful to some users not familiar with forward secrecy in TLS.

> In fact, now that export ciphers have gone the way of the dodo, the best thing to do is probably just set a single group of your preferred size in all your SSL_CTX structures and forget about the callback.

Sure, provided one is sure that this will not lead to (DH) private key re-use.
In sufficiently recent OpenSSL releases single DH use is the default and IIRC
cannot be disabled.  But older releases may more reliably avoid DH key re-use
when the group is provided via the tmp_dh callback.


More information about the openssl-users mailing list