> David Murphy wrote:
>
> Hi - We re trying to use the cipher suites :-
>
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>
> and despite much time spent are getting absolutely nowhere trying to
> figure out how to setup so that that the OpenSSL server_c will accept
> them during an SSL handshake ....
>
> 1. We have been told that we need a DSA (not RSA) certificate when
> Diffie Hellman. OK - what are the ** specific ** steps (and program
> arguments) to generate this using OpenSSL?
> There is something called gendsa.c and dsaparam.c. How do I use these
> programs (or any others required) to generate a DSA cert?
>
> A specific example would be most helpful please..
>
> I tried using some PEM files that appear to contain DSA certs but
> OpenSSL always asks for a passphrase. How do I find out what to enter
> there?
>
This isn't that different from the RSA case. The main difference is that
you have to generate some DSA parameters which are used for DSA key
generation and then supply those when you need to generate a DSA key.
Anyway heres how it goes.
1. Generate some DSA parameters:
openssl dsaparam -out dsap.pem 1024
This will take a while. DSA parameters don't contain any sensitive info
so they aren't encrypted.
2. Generate a DSA certificate:
openssl req -x509 -newkey dsa:dsap.pem -out cert.pem
This will give you a DSA private key in privkey.pem and a self signed
DSA certificate in cert.pem. At this point you can use this self signed
certificate as the SSL certificate or optionally use it in a CA...
3. Make a DSA CA (optional).
You can make a DSA CA using the 'CA.sh' script. First do:
CA.sh -newca
give the self signed certificate file name when prompted. Copy the
private key (in privkey.pem) to demoCA/private/cakey.pem
4. Make DSA certificate requests:
openssl req -newkey dsa:dsap.pem -out newreq.pem
You can use the same parameters or generate a new set.
5. Sign the requests.
CA.sh -signreq
At this point you will either have a self signed certificate and private
key or a DSA CA and several certificates signed by it.
> 2. We have been told that we also need to generate ephemeral DH
> parameters. What are the specific steps to generate these using
> OpenSSL?. There is something called gendh.c - is that what we should
> use?
>
> A specific example would be most helpful please..
>
You can generate DH parameters with e.g:
openssl gendh -out dhparam.pem 1024
>
> 3. How do I install/setup the results of 1 and 2 so that OpenSSL will
> accept our cipher suites?
>
> A specific example would be most helpful please..
>
OK. With s_server you take your server certificate and private key and
DH parameters and concatenate them into one file called server.pem. Now
when you do:
openssl s_server
You should be able to connect with s_client and use the DSS+DH cipher
suites. You can then play with the cipher string to enable just the ones
you want.
Ugh: I've just noticed the DH parameters in s_server are hard coded to
load from a file called server.pem... that'll have to go!
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
