since 0.9.6 or before, five (5) example PEM files have been included in the 'crypto/dh' directory of the pkg. these represent bit-sizes from 192 to 4096. certainly 192-/512-/1024-bits are hardly applicable today and that leaves the 2048-/4096-bit files subject to current interest. at that, i am not certain what utility these files have since they are not installed. quite a while ago i noticed the 'dh2048.pem' file when deciding to create custom DH param files. this file has two (2) sets of param's. since these files may have originated in some early dev phase, i can see where someone mistakenly appended the second param set instead of supplanting the first. this brings to the fore my actual question. 'pkeyparam' shares the same DH feature of its predecessors in that it ignores all content not included between the /*first*/ PEM header and its accompanying footer. that means virtually anything can surround the first param and will be ignored by whatever call(s) this wrapper is making. i can understand that this may have been coded this way to allow for the history DH param's have with openssl whereby only the PKCS#3 variant has been supported and that format might co-exist in some files. however, it would seem prudent that everything outside the first DH param should not be completely ignored. to wit: consider the very real possibility that a programmatic error is made -- such as the dh2048.pem example, supra -- and an append is performed and the new param is completely ignored and nobody is the wiser. moreover, since it is remarkably unlikely that anyone is hand coding these files or that comments would be inserted; it seems to make a lot of sense for a utilizing module to _*warn*_ of excess content that is not PKCS and _*fail*_ if more than a single PEM-type param is included. -- Thank you, Johann v. Preu?en -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160806/270feabe/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3825 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160806/270feabe/attachment.bin>
