On 06/08/2019 11:07, Chitrang Srivastava wrote: > Thanks Matt, > > So now I have, which i believe is enough ? > > SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION | > SSL_OP_CIPHER_SERVER_PREFERENCE); > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION); This is fine although it obviously prevents connections from very old clients that don't support TLSv1.2. This might not be a problem for you depending on your situation. Matt > > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx>> wrote: > > > > On 06/08/2019 09:42, Chitrang Srivastava wrote: > > Hi, > > > > I am implementing HTTPs server using openssl 1.1.1b. > > Is it mandatory to setup these API's while creating ssl context ? > > > > SSL_CTX_set_tmp_ecdh > > > > SSL_CTX_set_tmp_dh > > By default OpenSSL will automatically use ECDH if appropriate and choose a > suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless you > want more control over which specific group is used. > > OpenSSL will not use DH unless you specifically configure it. If you want to > make use of DH based ciphersuites then you must either call SSL_CTX_set_tmp_dh() > or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former enables > you to configure any arbitrary DH group that you choose. Calling the latter will > enable the built-in DH groups. > > It is not mandatory to call any of the above. > > > > > Also any suggestion what all options one should set while setting up > server like > > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3 > > Don't use the protocol version specific options at all. Use > SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol > version. SSLv2 is no longer supported at all. SSLv3 is compiled out by default. > > Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and > (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the others > unless there is a specific problem you are trying to solve. > > Matt >
