Re: understand 'openssl dhparms ....'
El día Tuesday, February 19, 2019 a las 10:47:44AM +, Matt Caswell escribió: > > > On 19/02/2019 08:57, Matthias Apitz wrote: > > > > Two questions: > > > > 1. Why this has no input file? Shouldn't it have on, and which? The man > > page says, it would read stdin, but it doesn't do so. > > The man page in question is here: > > https://www.openssl.org/docs/man1.1.1/man1/dhparam.html > > I draw your attention to the description of the "numbits" value (i.e. 1024 in > your command line): > > ... Matt, thanks for the detailed explanation. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive.
Re: understand 'openssl dhparms ....'
On 19/02/2019 08:57, Matthias Apitz wrote: > > Two questions: > > 1. Why this has no input file? Shouldn't it have on, and which? The man > page says, it would read stdin, but it doesn't do so. The man page in question is here: https://www.openssl.org/docs/man1.1.1/man1/dhparam.html I draw your attention to the description of the "numbits" value (i.e. 1024 in your command line): "This option specifies that a parameter set should be generated of size numbits. It must be the last option. If this option is present then the input file is ignored and parameters are generated instead. If this option is not present but a generator (-2 or -5) is present, parameters are generated with a default length of 2048 bits." So by specifying 1024 you are asking to *generate* new parameters of size 1024 bits and so the input file is ignored. > > 2. When I re-run the examples today the above command does not even > produces a file 'dh1024.pem', but writes the result to stdout: > > openssl dhparam 1024 -2 -outform PEM -out dh1024.pem > (lot of random output) ... > -BEGIN DH PARAMETERS- > MIGHAoGBAIc6JqvNBSGwdBBzIJQAuq+TG+ttNNYZcUv/p3/nloWGwxeCKqWt2M4x > z6WsA3tVbykRw80A0Rja2y7IHZ9dGJc/guxrxUpNketeSddFzGicz6mrEafSdurd > ephztXEmQ63XP4ULPlcaOXzYk6GLUXFYKVYuIHnpdcJLLRMFWZ0bAgEC > -END DH PARAMETERS- > > How this is supposed to work? Thanks The options are the wrong way around the numbits value is supposed to be last - so actually the rest of your options are being ignored. The command line should be: openssl dhparam -2 -outform PEM -out dh1024.pem 1024 It seems that in OpenSSL 1.1.0 we got stricter about the ordering of the command line parameters. We probably really ought to error out if there are trailing options that we haven't processed. Note that 1024 is these days considered too short. At a *minimum* you should be using at least 2048. I would also draw your attention to the SSL_CTX_set_dh_auto() and SSL_set_dh_auto() macros that your server can use (available since OpenSSL 1.1.0). These are sadly undocumented (gr) but the use is straight forward: SSL_CTX_set_dh_auto(ctx, 1); or SSL_set_dh_auto(s, 1); By making these calls then your server will use automatic built-in DH parameters and there is no need to supply your own explicitly. Matt
understand 'openssl dhparms ....'
Hello, Some years ago (in 2012) I wrote an OpenSSL server, loosely based on the example sources 'openssl-examples-20020110' which nowadays still exist in https://github.com/smbutton/DataCommProject/tree/master/openssl-examples-20020110/openssl-examples-20020110 There was also some guiding available about how to create the necessary key material, which goes more or less like this: $ mkdir newca $ cd newca $ cp /usr/local/openssl/misc/CA.sh . $ ./CA.sh -newca will create a new CA. Remember the passphrase as you will need it to sign certificates. $ cp demoCA/cacert.pem ../root.pem Second step $ ./CA.sh -newreq will create a certificate and a certification request. Set the passphrase to 'password' as this is hard-coded in the examples' source code. It is important to set the [Common Name] to 'localhost'. Third step $ ./CA.sh -sign will sign your newly created certificate. Enter the password for your CA which you have defined in step 1. Fourth step $ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem $ cd .. $ ln -s localhost.pem server.pem $ ln -s localhost.pem client.pem Maybe you also want to issue $ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM in order to update the DH parameters. What I (today) do not understand is the last step about creating the file 'dh1024.pem' :-( Two questions: 1. Why this has no input file? Shouldn't it have on, and which? The man page says, it would read stdin, but it doesn't do so. 2. When I re-run the examples today the above command does not even produces a file 'dh1024.pem', but writes the result to stdout: openssl dhparam 1024 -2 -outform PEM -out dh1024.pem (lot of random output) ... -BEGIN DH PARAMETERS- MIGHAoGBAIc6JqvNBSGwdBBzIJQAuq+TG+ttNNYZcUv/p3/nloWGwxeCKqWt2M4x z6WsA3tVbykRw80A0Rja2y7IHZ9dGJc/guxrxUpNketeSddFzGicz6mrEafSdurd ephztXEmQ63XP4ULPlcaOXzYk6GLUXFYKVYuIHnpdcJLLRMFWZ0bAgEC -END DH PARAMETERS- How this is supposed to work? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub
