Are DHE_DSS cipher suites not supported?
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Oct 25 08:39:57 UTC 2019
On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote:
> I'm using OpenSSL 1.1.1d.
> Just want to confirm if DHE_DSS cipher suites are not supported by this
> version.
They are supported, but:
* DSS ciphersuites are disabled by DEFAULT. You need to
specify an explicit "-cipher" option to enable these,
for example:
$ openssl s_server -accept 12345 \
-tls1_2 -cipher DHE-DSS-AES256-GCM-SHA384 \
-dhparam dhparam.pem -key dsakey.pem -cert dsacert.pem
or more typically:
-cipher 'ALL:!RC4:!aNULL'
* You should also supply DH parameters as above:
-dhparam dhparam.pem
I generated these with:
$ openssl genpkey -genparam -algorithm dh \
-pkeyopt dh_paramgen_prime_len:2048 -out dhparam.pem
--
Viktor.
More information about the openssl-users
mailing list