On 25/10/2019 09:39, Viktor Dukhovni wrote: > On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote: > >> I'm using OpenSSL 1.1.1d. >> Just want to confirm if DHE_DSS cipher suites are not supported by this >> version. > > They are supported, but: > > * DSS ciphersuites are disabled by DEFAULT. You need to > specify an explicit "-cipher" option to enable these, > for example: > > $ openssl s_server -accept 12345 \ > -tls1_2 -cipher DHE-DSS-AES256-GCM-SHA384 \ > -dhparam dhparam.pem -key dsakey.pem -cert dsacert.pem > > or more typically: > > -cipher 'ALL:!RC4:!aNULL' > > * You should also supply DH parameters as above: This step is optional. It will work just fine with default parameters if you don't specify them. Matt > > -dhparam dhparam.pem > > I generated these with: > > $ openssl genpkey -genparam -algorithm dh \ > -pkeyopt dh_paramgen_prime_len:2048 -out dhparam.pem >
