Thanks Matt, So now I have, which i believe is enough ?
SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION); On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <m...@openssl.org> wrote: > > > On 06/08/2019 09:42, Chitrang Srivastava wrote: > > Hi, > > > > I am implementing HTTPs server using openssl 1.1.1b. > > Is it mandatory to setup these API's while creating ssl context ? > > > > SSL_CTX_set_tmp_ecdh > > > > SSL_CTX_set_tmp_dh > > By default OpenSSL will automatically use ECDH if appropriate and choose a > suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless > you > want more control over which specific group is used. > > OpenSSL will not use DH unless you specifically configure it. If you want > to > make use of DH based ciphersuites then you must either call > SSL_CTX_set_tmp_dh() > or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former > enables > you to configure any arbitrary DH group that you choose. Calling the > latter will > enable the built-in DH groups. > > It is not mandatory to call any of the above. > > > > > Also any suggestion what all options one should set while setting up > server like > > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3 > > Don't use the protocol version specific options at all. Use > SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol > version. SSLv2 is no longer supported at all. SSLv3 is compiled out by > default. > > Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and > (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the > others > unless there is a specific problem you are trying to solve. > > Matt >