> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf > Of Viktor Dukhovni > Sent: Wednesday, December 06, 2017 13:21 > > > On Dec 6, 2017, at 8:51 AM, Michael Wojcik > <Michael.Wojcik@xxxxxxxxxxxxxx> wrote: > > > > > > Note: If you use OpenSSL 1.0.x and you use the DH parameter callback, be > > aware that the callback isn't invoked in a useful manner by OpenSSL. (It > > always asks for a 1024-bit group, unless an export cipher suite was selected, > > which should never happen.) > > This is misleading. The callback does not really ask for a 1024-bit group, > rather it passes one of two key-size hints "512" for export ciphers and 1024 > for non-export ciphers. Therefore, one can return any reasonable group size > instead of 1024 bits. Yes, that's what I meant. Sorry if I was unclear. (We have code that still uses the callback, but passes back a group of size configurable by the administrator, and defaulting to 2048 bits. As the OpenSSL docs now recommend, we ignore the size and export parameters to the callback.) > > In fact, now that export ciphers have gone the way of the dodo, the best > > thing to do is probably just set a single group of your preferred size in all your > > SSL_CTX structures and forget about the callback. > > Sure, provided one is sure that this will not lead to (DH) private key re-use. > In sufficiently recent OpenSSL releases single DH use is the default and IIRC > cannot be disabled. But older releases may more reliably avoid DH key re- > use when the group is provided via the tmp_dh callback. Oh, that's right. There's some option to set to tell OpenSSL 1.0.2 to tell it not to reuse DH keys, isn't there. Let's see... it's SSL_OP_SINGLE_DH_USE. But the man page for SSL_CTX_set_tmp_dh and SSL_CTX_set_tmp_dh_callback (and the SSL-specific versions) seems to imply that SSL_OP_SINGLE_DH_USE isn't necessary if either of those functions were used. In any case, since 1.0.2f, SSL_OP_SINGLE_DH_USE is always on and cannot be disabled (CVE-2016-0701). That's probably why I'd forgotten about it. In sum: The simplest thing is to choose a single DH group that meets your requirements (probably at least 2048 bits, and either coming from RFC 7919 or a good run of openssl dhparam), then set that in each new context with SLS_CTX_set_tmp_dh. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
