how to set temporary EC Diffie-Hellman parameters

asmarner@xxxxxxxxx (asmarner@xxxxxxxxx) · Fri, 9 Sep 2016 16:11:14 +0000 (UTC)

How about the following?
? ? EC_KEY *ecdh_parms = NULL;
? ? if (!(ecdh_parms= EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)))? ? {? ? ? ? printf("ECDH key generation failed");? ? ? ? return 0;? ? }
? ? if (EC_KEY_precompute_mult(ecdh_parms, NULL) == 0)? ? {? ? ? ??printf("ECDH precomputation failed");? ? ? ? EC_KEY_free (ecdh_parms);? ? ? ? return 0;? ? }
? ? if (SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh_parms) == 0)? ? {? ? ? ??printf("ECDH key could not be set");? ? ? ? EC_KEY_free (ecdh_parms);? ? ? ? return 0;? ? }
? ? EC_KEY_free (ecdh_parms);

    On Friday, September 9, 2016 9:29 PM, yordanos beyene <yordanosb at gmail.com> wrote:

 I got my application to support openssl s_client connections using the ephemeral ECDH cipher suites. I didn't initialize it properly.

Now I am looking at how to get my application accept openssl connections from a client with multiple curves instead of just "NID_X9_62_prime256v1". I appreciate any tips.
????? EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);

Thanks!

Jordan.

On Thu, Sep 8, 2016 at 12:12 PM, yordanos beyene <yordanosb at gmail.com> wrote:

Hello,
I appreciate if anyone can guide me how to set temporary EC Diffie-Hellman parameters to be able to accept SSL connections from a client using?ephemeral ECDHE cipher.
I have an ssl based application that can accept SSL connections. I can establish SSL connections from a client using RSA?cipher ( eg AES128-SHA), but when I use the ephemeral EDHE ciphers (eg ECDHE-RSA-AES128-SHA), the SSL handshake fails.
I have been googling to understand the issue for several hours, and it looks like?I need to?set temporary DH parameters.
I added the following code right after SSL initialization and creating context in my application....
?? EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);?? ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
?? if (! ecdh)
?????? error ();
?? if (1 != SSL_CTX_set_tmp_ecdh (session_cache_ctx, ecdh))
????? return -ENOMEM;?? EC_KEY_free (ecdh);
...
But it is still not working. I am not familiar with this area, and I?greatly appreciate any help.
I am running OpenSSL 1.0.1

Jordan.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160909/1de33729/attachment.html>