The added complexity was of some concern to me when doing the deprecations.
I suspect we’ll also encounter difficulties getting 100% equivalent behaviour via PKEY. There are some pretty arcane options in some of these. Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia > On 22 Feb 2020, at 9:51 am, Kurt Roeckx <k...@roeckx.be> wrote: > > On Fri, Feb 21, 2020 at 11:27:55PM +0000, Matt Caswell wrote: >> >> >> On 21/02/2020 23:18, Kurt Roeckx wrote: >>> On Fri, Feb 21, 2020 at 11:00:10PM +0000, Matt Caswell wrote: >>>> >>>> dhparam itself has been deprecated. For that reason we are not >>>> attempting to rewrite it to use non-deprecated APIs. The informed >>>> decision we have made about DH_check use in dhparam is to not build the >>>> whole application in a no-deprecated build: >>>> >>>> *) The command line utilities dhparam, dsa, gendsa and dsaparam have been >>>> deprecated. Instead use the pkeyparam, pkey, genpkey and pkeyparam >>>> programs respectively. >>>> [Paul Dale] >>> >>> For some reason I seem to have missed various things. >>> >>> But I think deprecating tools like dhparam, dsaparam in favour of >>> genpkey is something that we should reconsider. >> >> What is your reasoning? >> >> (I just realised that what the CHANGES entry says is that >> dhparam/dsaparam are deprecated in favour of pkeyparam - but actually I >> think the equivalent functionality is more split between genpkey and >> pkeyparam) > > Some equivalants: > openssl dhparam 2048 > openssl genpkey -genparam --algorithm DH -pkeyopt dh_paramgen_prime_len:2048 > > openssl dsaparam 2048 > openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 > > > If you search internet, you will more than likely find the first > ones. They are very easy. I have to look up at the manual page > examples to know how to use genpkey. > > > Kurt