> From: owner-openssl-us...@openssl.org On Behalf Of Sean Alexandre > Sent: Tuesday, October 08, 2013 20:08
> I'm writing a client app that uses OpenSSL to connect to an SSL server. I want > to display the number of bits used for the DH parameter set. <snip> I've tried > (psuedocode): > SSL *ssl; > EVP_PKEY *evp_key = SSL_get_privatekey(ssl); > struct dh_st *dh = EVP_PKEY_get1_DH(evp_key); > > But get: ":error:06077080:digital envelope > routines:EVP_PKEY_get1_DH:expecting a dh key:p_lib.c:352:" > The DH key is your private key only for static-DH, which isn't yet implemented by released OpenSSL (it apparently will be in 1.0.2). (Static-ECDH is.) > I know a DH exchange happened; SSL_CIPHER_description() gives: > DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) > Mac=AEAD > For DHE (ephemeral) or ADH (anonymous which is inherently ephemeral), look in get_session()->sess_cert->peer_dh_tmp . (And similarly for ECDHE or AECDH, peer_ecdh_tmp .) And if the server is Java I can tell you now it almost certainly used DH-768, which is too small. I've had to disable DHE on my systems for that reason. I've even got the actual p stored away someplace. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
