Thanks a lot for the explanation, so instead of generating new parameters on the fly I could just create them once and then load on requests via the SSL_CTX_set_tmp_dh_callback?
Like in the example listed on: https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html Should I provide just 4 files: dh512.pem, dh1024.pem, dh2048.pem, and dh4096.pem? Please let me know. Thanks a lot. -- Marco Bambini http://www.sqlabs.com http://twitter.com/sqlabs http://instagram.com/sqlabs On 20 Sep 2014, at 15:50, Dave Thompson <dthomp...@prinpay.com> wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Marco Bambini >> Sent: Friday, September 19, 2014 12:04 > >> my server needs to accept DHE ciphers from clients so I think I would need > to >> be able to load static dh512.pem, dh1024.pem, dh2048.pem and dh4096.pem >> certificates on server side. In order to increase security I would like to > skip >> the pem file loading step and generate these dh certificates on the fly. >> > Those aren't certificates, they are parameters. For DHE (and also DH-anon) > server and client each generates a new (ephemeral) keypair for each > handshake > using the same parameters. Having many keypairs under the same parameters > is secure, this is how Diffie-Hellman works. Generating a new keypair is > nearly instantaneous; generating new parameters takes a minute or > several, which would be unacceptable per connection on most servers. > Generating them on server startup, or now and then such as monthly, > would give you the same extremely tiny increase in security. > > If you really want that, generate parameters using the DH_ specific > routine or the EVP_PKEY_ wrapper and pass that to set_tmp_dh or > use it (or maybe them) in the callback set by set_tmp_dh_callback, > instead of the one(s) read from file(s). > > The protocol does define "static" DH suites which use DH certificates. > (SSLv3 through TLSv1.1 distinguished DH certs signed by RSA or DSS > in the ciphersuite; 1.2 essentially merges them and uses the new > sigalgs extension instead.) OpenSSL did not implement these in any > release yet; 1.0.2 is planned to. DH certificates cannot be requested > using the standard PKCS#10 CSR (because DH can't sign) and I've never > seen nor heard of any CA that issues a DH cert nor any system wanting > to use static-DH. (OpenSSL *does* implement the static *EC*DH suites, > although I haven't seen them used in anger either.) > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
