Thanks everyone for your replies. In summary, my understanding from this
thread and from reading the SSLv3 spec (stop me if I'm wrong!) is this:
- cipher suites such as ADH-DES-CBC-SHA and ADH-RC4-MD5 are supported (but
not recommended due to lack of authentication); to use them, I must compile
with SSL_ALLOW_ADH defined, and explicitly specify them in the cipher list.
- cipher suites such as EDH-RSA-DES-CBC-SHA and EDH-DSS-DES-CBC-SHA are
supported without doing anything special; the server uses an RSA or DSA
certificate (signed by a CA) for authentication and the Diffie-Hellman
parameters (which may be different for each session) are signed using the
private key corresponding to that certificate.
- cipher suites such as DH-RSA-DES-CBC-SHA and DH-DSS-DES-CBC-SHA are _not_
supported; for these, the Diffie-Hellman parameters form part of the
server's certificate, and the whole lot has been signed by a CA (using RSA
or DSA), so the Diffie-Hellman parameters are fixed for sessions using that
certificate.
Phew!
Ollie
> -----Original Message-----
> From: Dr Stephen Henson [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, December 18, 1999 7:25 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Diffie-Hellman support in OpenSSL
>
> Andrew Cooke wrote:
> >
> >
> > Although my post, in retrospect sounded like eay is some kind of font of
> > eternal knowledge, I meant just that since he wrote the thing, he could
> > explain the design decisions.
> >
> > Anyway, I've now found the following two posts which shed light on the
> > historic basis for support (or not) of DH:
> >
> > http://remus.prakinf.tu-ilmenau.de/ssl-users/archive25/0085.html
> > http://remus.prakinf.tu-ilmenau.de/ssl-users/archive19/0160.html
> >
>
> I can vaguely recall seeing that at the time.
>
> We can get equivalent "protection" by not enabling anon DH unless it is
> specifically included in the cipher list: still disallowing it when a
> user has declared some knowledge of it by explicitly stating they want
> it is IMHO plain silly.
>
> The DH referred to in the other message is PKCS#3 DH which, whereas the
> only DH certificates are now X9.42 and still only present AFAIK in the
> S/MIME v3 examples group. X9.42 solves some of the problems of PKCS#3 in
> certificates but it is still awkward. X9.42 DH didn't exist at the time
> of the message.
>
> The honouring of X509v3 usage extensions BTW: I partially added that a
> few weeks ago to the development release.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
