RE : DH and RSA for TLS

Wed, 15 Jan 2003 04:28:21 -0800 

Thanks for your answer,


So, some other questions...


I use now the DH-RSA-AES128-SHA cipher.

I have made a .pem file with my DH parameters. I load them using the
PEM_read_DHparams function.

HOW DO YOU PUT THOSES PARAMETERS IN THE SSL_CTX (if needed)?


Thanks !



-----Message d'origine-----
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De
la part de Lutz Jaenicke
Envoyé : mercredi 15 janvier 2003 12:10
À : [EMAIL PROTECTED]
Objet : Re: DH and RSA for TLS

On Wed, Jan 15, 2003 at 11:50:33AM +0100, p b wrote:
> I use openssl 0.9.7
> 
> I made a client - server connexion, and I would like to use TLS with RSA
and
> DH for key negotiation.
> 
> When I use "AES128-SHA" as cipher parameter, it works.
> 
> But when I set cipher list with "DHE-RSA-AES128-SHA" parameter, it
doesn't.
> 
> I added       SSL_CTX_set_options(ssl_ctx,SSL_OP_SINGLE_DH_USE |
> SSL_OP_EPHEMERAL_RSA );
> 
> But the result is "no shared cipher"
> 
> Which params may I use, or which function may I added in  order to allow
the
> key negotiations using DH

EPHEMERAL_RSA has nothing to do with your problem and it is not recommended
as it violates the TLS protocol. (If it is required by the protocol, it
is used automatically with or without this option.)

Did you check, whether all requirements are fulfilled? DHE-RSA needs:
* RSA keys
* DH parameters
* random numbers
If the PRNG would not be seeded, the error message would be different
and if the RSA keys would be missing, AES128-SHA would be failing as well.
This leaves missing DH parameters...

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to