Rogier Mulhuijzen <[EMAIL PROTECTED]>:
> [...] to make sure everything goes right I started out with altering
> the demos/ssl/*.cpp files. [...]
> started experimenting with becoming a CA and making my own certificates.
> Doing that I realised that using RSA based stuff would mean getting a
> license for use within the US (or other countries too) and since I'm
> planning on using it there I decided to rebuild openSSL with no-rsa no-rc5
> no-idea just to be on the safe side. [...]
> THEN I replaced the certificate&privatekey files in the demos/ssl directory
> because the original ones were RSA based and thus didn't work anymore.
> 395:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:769:
To use DSA certificates, the server has to provide DH parameters; as
DSA, unlike RSA, cannot be used for direct encryption, there's always
an ephemeral DH key involved. (Ephemeral DH should also be used when
certificates are of RSA type because otherwise you don't get forward
secrecy: Someone who obtains the RSA private key can decrypt recorded
sessions that use RSA without ephemeral keys, but not sessions that
use RSA with ephemeral DH.)
ssltest.c is probably a better example for how to set up an SSL_CTX.
If you obtain a beta for OpenSSL 0.9.5a, you'll see that
"make test" now works in no-rsa configurations.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
