SSL Server setup DH/ECDH
chitrang.srivastava at gmail.com
Tue Aug 6 10:07:26 UTC 2019
So now I have, which i believe is enough ?
SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION |
On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <matt at openssl.org> wrote:
> On 06/08/2019 09:42, Chitrang Srivastava wrote:
> > Hi,
> > I am implementing HTTPs server using openssl 1.1.1b.
> > Is it mandatory to setup these API's while creating ssl context ?
> > SSL_CTX_set_tmp_ecdh
> > SSL_CTX_set_tmp_dh
> By default OpenSSL will automatically use ECDH if appropriate and choose a
> suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless
> want more control over which specific group is used.
> OpenSSL will not use DH unless you specifically configure it. If you want
> make use of DH based ciphersuites then you must either call
> or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former
> you to configure any arbitrary DH group that you choose. Calling the
> latter will
> enable the built-in DH groups.
> It is not mandatory to call any of the above.
> > Also any suggestion what all options one should set while setting up
> server like
> > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
> Don't use the protocol version specific options at all. Use
> SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol
> version. SSLv2 is no longer supported at all. SSLv3 is compiled out by
> Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and
> (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the
> unless there is a specific problem you are trying to solve.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users