RE: Root Certificates dir

Thu, 22 Mar 2007 16:13:32 -0800 

Hello,
> I asked you last week:
> > I have to interface with a client running 
> > TLS_RSA_WITH_3DES_EDE_CBC_SHA1. For me, it means:
> >..........
> > Please very my thought is correctly . DH is not involved at all ??? I 
> > always think that DH have to be involved when using symmetric key.
> 
> You answered 
> >Yes, in this case DH is not used.
> 
> I have a problem with what to do with Ephemeral keying. In openssl, It
> seem to me that I have two choices to use Ephemeral keying: temporary
> RSA keys or Diffie_Hellman (DH) key agreement. 
> 
> For temporary RSA keys, using something like:
> 
>   SSL_CTX_set_options(ctx,
> SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_EPHEMERAL_RSA)
>   RSA *rsa;
>   > >       rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
>   > >       if (!SSL_CTX_set_tmp_rsa(SSL_context,rsa)){
>   > >               ExitPostmaster(1);
>   > >       }
>   > >       RSA_free(rsa);
> 
> For Diffie_Hellman (DH) , using something like:
>  
>   SSL_CTX_set_options(ctx,
> SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE)
>   SSL_CTX_set_tmp_dh_calback(...);
> 
> I can not use Diffie_Hellman (DH) key agreement because my
> TLS_RSA_WITH_3DES_EDE_CBC_SHA1 requirement. I can implement this but it
> does not help because the DH is not used in this case.
> 
> I can not use temporary RSA keys because of: 
> 
> >Temporary RSA keys are only used in some export ciphersuites which are
> now obsolete. The use of ephemeral
> > RSA keys actually violates the standards in that particular
> ciphersuite.
> 
> 
> What else can I do to implement Ephemeral keying ??? Please help. I have
> limited knowledge in this openssl.
Sorry for such late response.
As already Steve said that is some compatibility problem and if you can
live with that I do not see and problems.
In this case you are not inventing your own crypto protocol (which
is not easy and very dangerous) but you use some approved one.
Maybe for different purpose but may be useful and maybe in some
feature can be standard for example in TLS1.2 :-). Who knows.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to