> From: owner-openssl-users On Behalf Of Viktor Dukhovni > Sent: Friday, October 25, 2013 09:46
> On Fri, Oct 25, 2013 at 06:35:08AM -0700, LN wrote: > > > I mean in a typical usage of OpenSSL is it mandatory to call > > SSL_CTX_set_tmp_dh() if I call SSL_CTX_use_certificate() > > and SSL_CTX_use_PrivateKey(). > > No, this is optional. > Maybe. Assuming only server 'typically' sets key&cert, It depends on what you want the server to support. If you want to (maybe need to) support EDH, you must either set_tmp_dh or set_tmp_dh_cb . Ditto for ADH, but that's rare at least on the public net. If your clients/users demand forward secrecy -- which since Snowden has become more popular -- then EDH or EECDH are the only authenticated choices to accomplish this, and as noted recently getting EECDH to interoperate may be an issue. > > I know that for RSA keys, for example, the session key exchange is done > > using the public keys of the client and server. > > No, this depends on the cipher-suite. > Technically DH keys are also public/private pairs (x and y = g^x mod p), but EDH (and ADH) keys are normally ephemeral so people don't notice them. (And the same for EC, except it's point multiply instead of modexp.) akRSA key-exchange uses server RSA keypair for key-exchange; if client-auth is used client (RSA) keypair is used to sign key-exchange data. EDH-RSA uses the server (RSA static) keypair to sign key-exchange data, and both DH keypairs for key-agreement. Static DH (rarely if ever used, and not yet released in OpenSSL but reportedly will in 1.0.2) uses the DH keypairs for key-agreement, and higher (RSA/DSA) publickey to verify the cert. > > If my understanding is correct, the DH parameters are used for > > key exchange also. > > No, not "also", rather "instead" when an EDH cipher-suite is > negotiated. > Right. (Technically DH parameters and keys are used, but the keys are usually ephemeral, so the application need only care about parameters.) > > So if public key are used, is there a situation when the DH parameters > > will be used instead for key exchange.? > > When an EDH cipher-suite is negotiated. > > > So is my understading correct, that DH might be used if the client > > uses a protocol for key exchange that is based on DH and if the > > server doesn't have the DH parameters, the negotiation will fail > > No, the server won't negotiate an EDH cipher-suite when it has no > DH parameters. Clients don't begin EDH/EECDH key Exchange, servers do. > The client doesn't start key-exchange, but what it offers limits what the server can choose. If the client offers only EDH suite(s), and the server doesn't have DH parameters, then negotiation will indeed fail. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org