RE: error in using EC/DSA cert as server cert

Thu, 07 Jun 2012 19:11:48 -0700 

> From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu
> Sent: Thursday, 07 June, 2012 19:25

> For ecdh_tmp, should it be the same as what is set in the 
> pkey in CTX->CERT? What is the purpose of these _tmp keys?

> Sent: Thursday, June 07, 2012 4:04 PM

> But for a DSA key, what DH do I suppose to use?

man [openssl-3] SSL_{,CTX_}set_tmp_dh{,_callback) or 
http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#
and substitute ECDH for DH (and ECDSA for DSA) since those apparently 
don't have a man page written (but ignore small subgroup for EC).

For DH you can use OpenSSL's 'canned' params like dh_get1024() 
(but not dh_get512 except for 'export' suites, 512 is too small)
or you can get and use other known ones like IPSEC 'Oakley', 
or you can generate your own (but in my opinion the man page 
overstresses the desirability of generating your own).
You can convert your DSA privatekey to DH with DSA_dup_DH() and 
use the full key, or set SINGLE_DH_USE to use only the parameters.

For ECDH use one of the 'named' (standardized) curves from 
EC_KEY_new_by_curve_name(int nid), or similarly your privatekey 
if it's in a named curve which it most likely is; OpenSSL 
uses the same EC_KEY structure for both ECDSA and ECDH.
The protocol spec allows nonstandard (ad-hoc) ECDHE params, 
but OpenSSL doesn't implement this and other systems may not.

See apps/s_server.c for code that implements some of these options.

Note: on reviewing this man page which I hadn't for a while, 
I don't understand the warning about DSA. First, if you use 
DSA *parameters* (not a full key), SINGLE_DH_USE is irrelevant, 
the code will always need to generate a key per negotiation.
If you use a DSA *key* converted to DH, how is this weaker than 
any other static DH key? You've discarded the exact subgroup 
order, but you do know it's big enough to resist guessing, 
and you know the group is big enough to resist discrete-log.
There are drawbacks to static DH, but as far as I can see they 
apply equally whether generated as DH or converted from DSA.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to