A question DH parameter generation and usage

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

A question DH parameter generation and usage

Jayalakshmi bhat
Hi,

We are planning to use DHE_RSA TLS ciphers into our product. I have few questions on using DH parameter. We would like to use DH-2048. 

our product includes both TLS client and server applications. Thus any time there will be considerable number of active connectioons.

I believe we can use same DH parameter for all the server connections. Is my understanding correct? Is there any risk in using same parameter for all the server connections.

Another question is what is guidelines/document should be followed to derive DH parameter.

Any input is appreciated.

Thanks and Regards
Jayalakshmi.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: A question DH parameter generation and usage

Paul Yang
For DHE_RSA, you first need a pair of RSA certificate/key for signing. And you if want to use specific DH parameters, you can use the SSL_CTX_set_tmp_dh API, there is documentation describing how to use this function.

DH parameter could be generated by OpenSSL in many ways, one of the common way is by using the openssl-dhparam command line tool. Check the -help option of that command.

BTW: seems this email should be sent to openssl-users list only...

> On 6 Dec 2017, at 14:02, Jayalakshmi bhat <[hidden email]> wrote:
>
> Hi,
>
> We are planning to use DHE_RSA TLS ciphers into our product. I have few questions on using DH parameter. We would like to use DH-2048.
>
> our product includes both TLS client and server applications. Thus any time there will be considerable number of active connectioons.
>
> I believe we can use same DH parameter for all the server connections. Is my understanding correct? Is there any risk in using same parameter for all the server connections.
>
> Another question is what is guidelines/document should be followed to derive DH parameter.
>
> Any input is appreciated.
>
> Thanks and Regards
> Jayalakshmi.
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (849 bytes) Download Attachment