Hello, I want to use static Diffie Hellman key exchange with RSA authentication (DH_RSA) in my application. I am currently using OpenSSL version 1.0.2n. I understand that from version 1.0.2 openSSL supports fixed DH. Here is what I have tried so far. Trial 1: I created DH server and client certificates as described in demo script in master branch demos/certs/mkcerts.sh. I need a certificate in PKCS12 file to import into my application. Since DH certificate do not have private key I used pkcs12 -nokeys option. This approach failed when I tried to read the certificate from my store. Trial 2. I tried to set DH certificates with SSL_CTX_use_certificate_file() in the client and server applications. After loading the certificate into my ssl context what should I do? Trial 3. I came across some articles where it was suggested that for static DH key exchange append DH parameters to the server certificate. So I appended my DH parameters (2048 key size) to my server certificate and created a pkcs12 file. Import certificate worked however when I tried to read back the certificate from store into x509 object I was unable to retrieve the DH parameters. I could not find a way to retrieve my DH parameters from the server certificate. Trial 4: I placed DH parameter file in my project folder and read the parameters using PEM_read_DHparams(). Then I tried to create DH key with DH_generate_key(); I could not call DH_compute_key as I do not have peer certificate. This configuration is done before I call ssl_connect. So my SSL object is NULL at this point of time. After this I do not know how to proceed. I cannot use SSL_CTX_set_tmp_dh as this api is used for ephemeral Diffie Hellman key exchange. Please let me know where I am going wrong. I need to enable static DH in my application. Regards Bharathi -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
