On Thursday, 25. April 2002 22:47, you wrote: > Hi, > > I'm tring to use DH params from > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ike-modp-groups-04.txt > <http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ike-modp-groups-04.tx >t > > > , but none get imported in openssl, and openssl returns > > DH_NOT_SUITABLE_GENERATOR... Can any one give me a reason why ??
Hi Aslam, the problem is that DH_check() whether the supplied generator ( in our case 2 ) is a generating element of the full multiplicative group ( of the field GF(p) ) . In the DH-parameters from the draft-ietf-ipsec-ike-modp-groups-04.txt ( created in accordance with rfc-2412 Appendix E ) the generator 2 is a is a quadratic residue mod p ( e.g. there exits a x in GF(p) with 2 = x^2 mod p ) and hence 2 is not a generator of the full multiplicative group. I propose you ignore ( if you can ) the result of DH_check(), because I don't think the parameters are insecure :) Nils ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
