Are DHE_DSS cipher suites not supported?
John Jiang
john.sha.jiang at gmail.com
Fri Oct 25 12:52:50 UTC 2019
On Fri, Oct 25, 2019 at 8:50 PM Matt Caswell <matt at openssl.org> wrote:
>
>
> On 25/10/2019 09:39, Viktor Dukhovni wrote:
> > On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote:
> >
> >> I'm using OpenSSL 1.1.1d.
> >> Just want to confirm if DHE_DSS cipher suites are not supported by this
> >> version.
> >
> > They are supported, but:
> >
> > * DSS ciphersuites are disabled by DEFAULT. You need to
> > specify an explicit "-cipher" option to enable these,
> > for example:
> >
> > $ openssl s_server -accept 12345 \
> > -tls1_2 -cipher DHE-DSS-AES256-GCM-SHA384 \
> > -dhparam dhparam.pem -key dsakey.pem -cert dsacert.pem
> >
> > or more typically:
> >
> > -cipher 'ALL:!RC4:!aNULL'
> >
> > * You should also supply DH parameters as above:
>
> This step is optional. It will work just fine with default parameters if
> you don't specify them.
>
I only add option -cipher to s_server. That works for me.
Thanks!
>
> Matt
>
>
>
> >
> > -dhparam dhparam.pem
> >
> > I generated these with:
> >
> > $ openssl genpkey -genparam -algorithm dh \
> > -pkeyopt dh_paramgen_prime_len:2048 -out dhparam.pem
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191025/3d9d7b66/attachment.html>
More information about the openssl-users
mailing list