On Fri, Oct 25, 2019 at 8:50 PM Matt Caswell <m...@openssl.org> wrote:
> > > On 25/10/2019 09:39, Viktor Dukhovni wrote: > > On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote: > > > >> I'm using OpenSSL 1.1.1d. > >> Just want to confirm if DHE_DSS cipher suites are not supported by this > >> version. > > > > They are supported, but: > > > > * DSS ciphersuites are disabled by DEFAULT. You need to > > specify an explicit "-cipher" option to enable these, > > for example: > > > > $ openssl s_server -accept 12345 \ > > -tls1_2 -cipher DHE-DSS-AES256-GCM-SHA384 \ > > -dhparam dhparam.pem -key dsakey.pem -cert dsacert.pem > > > > or more typically: > > > > -cipher 'ALL:!RC4:!aNULL' > > > > * You should also supply DH parameters as above: > > This step is optional. It will work just fine with default parameters if > you don't specify them. > I only add option -cipher to s_server. That works for me. Thanks! > > Matt > > > > > > > -dhparam dhparam.pem > > > > I generated these with: > > > > $ openssl genpkey -genparam -algorithm dh \ > > -pkeyopt dh_paramgen_prime_len:2048 -out dhparam.pem > > >
