For DHE_RSA, you first need a pair of RSA certificate/key for signing. And you
if want to use specific DH parameters, you can use the SSL_CTX_set_tmp_dh API,
there is documentation describing how to use this function.
DH parameter could be generated by OpenSSL in many ways, one of the common way
Hi,
I have a question on ECC ciphers implementaion in OpenSSL. I do see
README.ECC file in FIPS certfied OpenSSL crypto library. That says The
OpenSSL Software Foundation has executed a sublicense agreement
entitled "Elliptic Curve Cryptography Patent License Agreement" with the
National Security
Hi,
We are planning to use DHE_RSA TLS ciphers into our product. I have few
questions on using DH parameter. We would like to use DH-2048.
our product includes both TLS client and server applications. Thus any time
there will be considerable number of active connectioons.
I believe we can use sa
On Tue, 5 Dec 2017 19:14:41 + (UTC)
Jitendra Lulla via openssl-dev wrote:
> Could the solution be a restricted count of HB requests along with a
> timer?
No, the solution is to disable TLS heartbeats.
I actually wanted to bring this up when I recently noticed that OpenSSL
still enables the
The purpose of the HEARTBEAT message is for DTLS applications to determine the
maximum packet size and tune the application records accordingly. There is
never any reason to use this in TCP-based TLS; that was an OpenSSL bug that
enabled it there.
The usefulness of HEARTBEAT even in DTLS is pro
Hi,
With an "intentionally corrupted" tls1_heartbeat() in Openssl 1.0.2l, heart
beat requests with big payloads such as 16300 or slightly more can be
repeatedly sent to the server.
The server, religiously responds back with such big payloads after spending its
cpu on encrypting/HMAC computin