Hi Marek
1) Can I able to do both EPHEMERAL RSA and DH EPHEMERAL same time ??
Will Openssl call either EPHEMERAL RSA or DH EPHEMERAL depend what
ciphers using ??
2) what do you mean some compatibility problem ?? If SSSLv2 or SSLv3
try to connect my Server (TLS_RSA_WITH_3DES_EDE_CBC_SHA1) will my server
crash ??
3) I have core dump on SSL_CTX_free(ctx) ( I already check
{ if (ctx)
SSL_CTX_free(ctx);
}
I have a SSL Server/Client application. Client can be independent or
come from Server.
If Client by itself, SSL_CTX_free(ctx) will call when I am done with
Client.
For Server, I create one CTX. For Each Client's SSL connection, I
spin-off a thread and create SSL which share this CTX. Does openssl have
a counter to let me know there are still some SSL connection which
belong to this CTX before I call SSL_CTX_free(ctx). Something like this:
if ( CTX_counter == 0)
{ if (ctx)
SSL_CTX_free(ctx);
}
Sorry to ask you many question. I just want to understand.
Thank You
Thao Dinh
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Thursday, March 22, 2007 20:12
To: openssl-users@openssl.org
Subject: RE: Root Certificates dir
Hello,
> I asked you last week:
> > I have to interface with a client running
> >TLS_RSA_WITH_3DES_EDE_CBC_SHA1. For me, it means:
> >..........
> > Please very my thought is correctly . DH is not involved at all ???
> >I always think that DH have to be involved when using symmetric key.
>
> You answered
> >Yes, in this case DH is not used.
>
> I have a problem with what to do with Ephemeral keying. In openssl, It
> seem to me that I have two choices to use Ephemeral keying: temporary
> RSA keys or Diffie_Hellman (DH) key agreement.
>
> For temporary RSA keys, using something like:
>
> SSL_CTX_set_options(ctx,
> SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_EPHEMERAL_RSA)
> RSA *rsa;
> > > rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
> > > if (!SSL_CTX_set_tmp_rsa(SSL_context,rsa)){
> > > ExitPostmaster(1);
> > > }
> > > RSA_free(rsa);
>
> For Diffie_Hellman (DH) , using something like:
>
> SSL_CTX_set_options(ctx,
> SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE)
> SSL_CTX_set_tmp_dh_calback(...);
>
> I can not use Diffie_Hellman (DH) key agreement because my
> TLS_RSA_WITH_3DES_EDE_CBC_SHA1 requirement. I can implement this but
> it does not help because the DH is not used in this case.
>
> I can not use temporary RSA keys because of:
>
> >Temporary RSA keys are only used in some export ciphersuites which
> >are
> now obsolete. The use of ephemeral
> > RSA keys actually violates the standards in that particular
> ciphersuite.
>
>
> What else can I do to implement Ephemeral keying ??? Please help. I
> have limited knowledge in this openssl.
Sorry for such late response.
As already Steve said that is some compatibility problem and if you can
live with that I do not see and problems.
In this case you are not inventing your own crypto protocol (which is
not easy and very dangerous) but you use some approved one.
Maybe for different purpose but may be useful and maybe in some feature
can be standard for example in TLS1.2 :-). Who knows.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
