Andreas Metzler <[email protected]> writes: > the API reference manaual says this about gnutls_certificate_set_dh_params(): > > | gnutls_certificate_set_dh_params is deprecated and should not be used in > | newly-written code. > | > | This function is unnecessary and discouraged on GnuTLS 3.6.0 or later. > | Since 3.6.0, DH parameters are negotiated following RFC7919. > > Which I would read as "when upgrading code to > (only) work with gnutls 3.6.0 one should delete any > gnutls_certificate_set_dh_params()-invocations since they are > unnecessary because GnuTLS will automatically do RFC7919 negotiation." > > However it looks like (see below) that is not true, there is no > automation but gnutls_certificate_set_dh_params needs to be replaced with > gnutls_certificate_set_known_dh_params (). > > To verify this, take ex-serv-x509 and remove > gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); > > After this change > openssl s_client -connect localhost:5556 -cipher > DHE-RSA-AES256-GCM-SHA384 -tls1_2 > will fail.
That was also my expectation, though I suspect that it's saying that it only works when the client advertises the "supported_groups" extension according to the RFC, which is not sent with the above command. In the OpenSSL git master, s_client provides the -groups option for that, and you will be able to connect to the server with: $ openssl s_client -connect localhost:5556 -tls1_3 -groups ffdhe2048 though the option doesn't seem to work with -tls1_2. Regards, -- Daiki Ueno _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
