[openssl-users] OpenSSL 1.1.1 Support for DH Ciphers?
Jakob Bohm
jb-openssl at wisemo.com
Wed Jan 30 10:54:19 UTC 2019
On 30/01/2019 00:11, Kurt Roeckx wrote:
> On Tue, Jan 29, 2019 at 02:42:48PM -0500, Viktor Dukhovni wrote:
>>> On Jan 29, 2019, at 2:23 PM, Rich Fought <rmf.aero at gmail.com> wrote:
>>>
>>> The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers are supported:
>>>
>>> TLS1.0:
>>> DH-RSA-AES128-SHA
>>> DH-RSA-AES256-SHA
>> The static DH and ECDH ciphers have been removed.
>>
>>> TLS1.2:
>>> DH-RSA-AES128-SHA256
>>> DH-RSA-AES256-SHA256
>>> DH-RSA-AES128-GCM-SHA256
>>> DH-RSA-AES256-GCM-SHA256
>>>
>>> However, I am unable to see them with openssl ciphers command
>>>
>>>> openssl ciphers -v -s DH
>>> All I see are DHE ciphers. DH is needed for compatibility with legacy servers.
>> They are NOT needed for compatibility with legacy servers.
> To clarify, the static DH has fixed DH parameters in the
> certificate. Instead of generating the parameters on each
> connection, it's fixed in the certificate. It's higly unlikely
> that you have such certificates. They're very difficult to
> actually generate. Other then some test certificates, I have never
> seen any actual such certificate.
>
> Even if you somehow managed to generate such certificate, both the
> client and server would actually need to be set up to work with
> static DH, and only static DH, which also seems unlikely.
>
At least when not using client certificates, no special client
configuration is needed (other than a non-crippled SSL library).
Server sends the DH parameters from the certificate. Client
generates a random ephemeral key (just like with the DHE suites),
server "signs" finished message with something derived from the
shared DH result, thus proving it has the private DH key to
correctly complete the DH exchange.
A few SSL/TLS messages may be differently formatted than for DHE,
that's all. Of cause the static DH suites provide no forward
secrecy after a private key breach, but that's no different
from the basic RSA suites.
Public CAs no longer issue DH certificates, so these will not be
found in public services that rely on the browser/mail/OS
certificate trusts, but they may still exist in private trust
contexts not constrained by browser politics.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list