DH parameter reading in OPENSSL 3

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jul 13 18:59:05 UTC 2022

On Wed, Jul 13, 2022 at 06:47:15PM +0200, Dirk Stöcker wrote:

> > https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L148-L205
> Thanks a lot. Works in principle now with one exception. The previous 
> approach worked for a file, where first comes the PEM certificate and 
> afterwards the DH params. The new approach only works when the file has 
> nothing than the DH params inside. Is there a chance to get that behaviour 
> back or do I need to load the file and strip the certificate myself?

The work-around is to put the DH parameters first.  Otherwise, you'd
need to resort to the more general OSSL_STORE API, which loads objects
of various types, and you can then ignore the ones you don't care for.

Another option is to iterate through the PEM file via the generic PEM
API, and then decode just the desired objects:



More information about the openssl-users mailing list