s_server and explicit dhparam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

s_server and explicit dhparam

Le Van Gong, Hubert
Hi there,

I'm trying to run opensslin server modeand leverage non-default DH
params with the following command:
sudo openssl s_server -cert server_cert.pem -dhparam dhparam_2.pem
-tls1_3 -accept 443

Where the dhparam_2.pem file contains the 2 DH params I want to use.
However, I keep getting the following error message: Error with command:
"-dhparam dhparam_2.pem"

I'm using OpenSSL 1.1.1-dev and see the same behaviour on macOS or linux.

Any idea as to what it is I am missing?

Cheers,
Hubert

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: s_server and explicit dhparam

OpenSSL - User mailing list
On 09/21/2017 03:30 AM, Le Van Gong, Hubert wrote:
Hi there,

I'm trying to run opensslin server modeand leverage non-default DH params with the following command:
sudo openssl s_server -cert server_cert.pem -dhparam dhparam_2.pem -tls1_3 -accept 443

Where the dhparam_2.pem file contains the 2 DH params I want to use.
However, I keep getting the following error message: Error with command: "-dhparam dhparam_2.pem"

I'm using OpenSSL 1.1.1-dev and see the same behaviour on macOS or linux.

Any idea as to what it is I am missing?

It seems that what is missing is actual support in the code,

diff --git a/apps/s_server.c b/apps/s_server.c
index c45256a..d54909a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -795,6 +795,7 @@ const OPTIONS s_server_options[] = {
     {"pass", OPT_PASS, 's', "Private key file pass phrase source"},
     {"dcert", OPT_DCERT, '<',
      "Second certificate file to use (usually for DSA)"},
+    {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
     {"dcertform", OPT_DCERTFORM, 'F',
      "Second certificate format (PEM or DER) PEM default"},
     {"dkey", OPT_DKEY, '<',


-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: s_server and explicit dhparam

Le Van Gong, Hubert
Hi Ben,

Ah, good catch. Maybe the doc should be updated to mention that fact.
Does anyone know if this is on the roadmap?

Thanks,
Hubert

On 9/21/17 20:12, Benjamin Kaduk wrote:

> On 09/21/2017 03:30 AM, Le Van Gong, Hubert wrote:
>> Hi there,
>>
>> I'm trying to run opensslin server modeand leverage non-default DH
>> params with the following command:
>> sudo openssl s_server -cert server_cert.pem -dhparam dhparam_2.pem
>> -tls1_3 -accept 443
>>
>> Where the dhparam_2.pem file contains the 2 DH params I want to use.
>> However, I keep getting the following error message: Error with
>> command: "-dhparam dhparam_2.pem"
>>
>> I'm using OpenSSL 1.1.1-dev and see the same behaviour on macOS or
>> linux.
>>
>> Any idea as to what it is I am missing?
>
> It seems that what is missing is actual support in the code,
>
> diff --git a/apps/s_server.c b/apps/s_server.c
> index c45256a..d54909a 100644
> --- a/apps/s_server.c
> +++ b/apps/s_server.c
> @@ -795,6 +795,7 @@ const OPTIONS s_server_options[] = {
>      {"pass", OPT_PASS, 's', "Private key file pass phrase source"},
>      {"dcert", OPT_DCERT, '<',
>       "Second certificate file to use (usually for DSA)"},
> +    {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
>      {"dcertform", OPT_DCERTFORM, 'F',
>       "Second certificate format (PEM or DER) PEM default"},
>      {"dkey", OPT_DKEY, '<',
>
>
> -Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: s_server and explicit dhparam

OpenSSL - User mailing list
On 09/21/2017 10:57 PM, Le Van Gong, Hubert wrote:
Hi Ben,

Ah, good catch. Maybe the doc should be updated to mention that fact.
Does anyone know if this is on the roadmap?

The documentation could not really get updated more easily than the code, and I committed the needed fix yesterday, so we're in as good a shape as we can reasonably expect to be.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users