On Fri, Oct 25, 2013 at 06:35:08AM -0700, LN wrote:
> I mean in a typical usage of OpenSSL is it mandatory to call
> SSL_CTX_set_tmp_dh() if I call SSL_CTX_use_certificate()
> and SSL_CTX_use_PrivateKey().
No, this is optional.
> I know that for RSA keys, for example, the session key exchange is done
> using the public keys of the client and server.
No, this depends on the cipher-suite.
> If my understanding is correct, the DH parameters are used for
> key exchange also.
No, not "also", rather "instead" when an EDH cipher-suite is
negotiated.
> So if public key are used, is there a situation when the DH parameters
> will be used instead for key exchange.?
When an EDH cipher-suite is negotiated.
> So is my understading correct, that DH might be used if the client
> uses a protocol for key exchange that is based on DH and if the
> server doesn't have the DH parameters, the negotiation will fail
No, the server won't negotiate an EDH cipher-suite when it has no
DH parameters. Clients don't begin EDH/EECDH key Exchange, servers do.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
