DH parameter reading in OPENSSL 3

Tomas Mraz tomas at openssl.org
Wed Jul 13 16:06:04 UTC 2022


it is somewhat unclear to me why do you consider the migration_guide(7)
useless in this regard. Citing it:

SSL_CTX_set_tmp_dh_callback(), SSL_set_tmp_dh_callback(),
SSL_CTX_set_tmp_dh(), SSL_set_tmp_dh()

These are used to set the Diffie-Hellman (DH) parameters that are to be
used by servers requiring ephemeral DH keys. Instead applications
should consider using the built-in DH parameters that are available by
calling SSL_CTX_set_dh_auto(3) or SSL_set_dh_auto(3). If custom
parameters are necessary then applications can use the alternative
functions SSL_CTX_set0_tmp_dh_pkey(3) and SSL_set0_tmp_dh_pkey(3). 

So basically instead of SSL_CTX_set_tmp_dh() you should use

To get an EVP_PKEY instead of DH, you should use
OSSL_DECODER_from_bio() to read the parameters using the decoder. How
to do that you can find out in the OSSL_DECODER_FROM_bio() manual page
- just use the example for the RSA key but replace the
keytype, and drop the OSSL_DECODER_CTX_set_passphrase call as that is
useless for parameters.

Another even more simple option would be to use

Tomas Mraz

On Wed, 2022-07-13 at 16:35 +0200, Dirk Stöcker wrote:
> Hello,
> when upgrading to openssl3 my code states that some functions are 
> deprecated in openssl 3, but even after reading documentation I was 
> unable to find a non-deprecated replacement.
> Task is to read DH parameters in PEM format from a file and use them
> for 
> the current "context" and if not available choose some defaults.
> if((bio = BIO_new_file("filename", "r")))
> {
>    DH *dh = PEM_read_bio_DHparams(bio, 0, 0, 0);
>    BIO_free(bio);
>    /* if no DH inside, try internal defaults */
>    if(!dh && (bio = BIO_new_mem_buf(dhparam, sizeof(dhparam))))
>    {
>      dh = PEM_read_bio_DHparams(bio, 0, 0, 0);
>      BIO_free(bio);
>    }
>    if(dh)
>    {
>      SSL_CTX_set_tmp_dh(context, dh);
>      DH_free(dh);
>    }
> }
> Now it seems the default can be replaced by
> SSL_CTX_set_dh_auto(context, 1);
> instead of the the internal values but I have no idea how to use 
> OSSL_DECODER to get the parameters and pass them to context. The 
> migrationg guide is really useless and the examples and the openssl 
> source also didn't help much.
> Anybody who can help me? It's probably only a few calls when one
> knows 
> what to do.
> Freedom in Peace

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list