DH parameter reading in OPENSSL 3

Dirk Stöcker openssl at dstoecker.de
Wed Jul 13 16:45:48 UTC 2022

Hello Tomas Mraz,

> it is somewhat unclear to me why do you consider the migration_guide(7)
> useless in this regard. Citing it:


The openssl documentation may be logical for someone who knows all the 
parts and how they work together, but for everybody else it's a large 
glob of isolated files which you simply can't bring together. You have 
pages which sometimes describe dozens of functions which seldom have 
examples and at least for me they don't help.

My initial TLS implementation took me days (although I do nothing except 
loading the parameters (key,cert,chain) and setup the stuff). Mostly I 
only got that done looking at the openssl tools and how they do it. AFTER 
you know how the code looks like the documentation helps but not to 
getting to this state. Essentially for me the documentation thus always 
was only a means to verify that the examples I used actually are correct 
and not written by somebody who also doesn't understand it.

I already looked for more than 4 hours at openssl 3 documentation and 
wasn't able to find the correct approach even after trying lot's of 
variants of the functions which Viktor showed in his example code (which 
BTW now took me about 20 minutes to understand, implement and test).

So yes. In my opinion the migration guide is useless. E.g. examples 
wouldn't hurt like

When you did this before
then replace it with that now
That usually brings you to the right way even when not fully matching your 

Actually I very much would like a function like

SetupTLS(const char **files, const char *cipherspec, const char *parameters)

Which I call and pass the user supplied files and optional parameter 
strings and openssl simply cares itself about the stuff and provides me a 
ready to use context. But that's probably too much to wish for. ;-)

Freedom in Peace
https://www.dstoecker.eu/ (PGP key available)

More information about the openssl-users mailing list