Re: Diffie-Hellman support in OpenSSL

Fri, 17 Dec 1999 05:46:34 -0800 

Oliver King wrote:
> 
> Hi,
> 
> 
> My first question is about the ADH cipher suites. Try as I might, I cannot
> get a successful connection using any ADH cipher, e.g. ADH-DES-CBC-SHA. The
> server always fails in SSL_accept() and gives the following output from
> ERR_print_errors_fp():
> 
> 420:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:.\ssl\s3_srvr.c:714:
> 
> Is there anything special I should be doing to allow ADH to work?
> 

Yes there's a silly compilation option you need to add to get this to
work. You need to compile with SSL_ALLOW_ADH otherwise anon DH doesn't
work.

This should be removed at some point so ADH is allowed but not in the
cipher list by default. A similar thing was done with NULL ciphers:
there used to be a compilation option for those but now its been changed
so they can be used directly but 'ALL' was changed to mean "everything
except NULL ciphers".

> My second question concerns plain DH. OpenSSL seems to know about DH, since
> cipher suites such as DH-DSS-DES-CBC-SHA are mentioned in ssl\s3_lib.c, but
> they're marked as invalid. What does this mean? Are they not supported, or
> can I get equivalent functionality some other way?
> 

OpenSSL doesn't (yet) support DH certificates so it can't use those
ciphersuites that need them. Apparently SSL v3 uses PKCS#3 DH
certificates (X9.42 wasn't around then) but I've never heard of it being
actually used or indeed even seen a PKCS#3 DH certificates. I have
however seen X9.42 DH certificates but not for anything other than test
purposes at the moment: and I don't know of any CA that issues them.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to