On Fri, Oct 25, 2019 at 8:50 PM Matt Caswell <matt@xxxxxxxxxxx> wrote:
On 25/10/2019 09:39, Viktor Dukhovni wrote:
> On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote:
>
>> I'm using OpenSSL 1.1.1d.
>> Just want to confirm if DHE_DSS cipher suites are not supported by this
>> version.
>
> They are supported, but:
>
> * DSS ciphersuites are disabled by DEFAULT. You need to
> specify an explicit "-cipher" option to enable these,
> for example:
>
> $ openssl s_server -accept 12345 \
> -tls1_2 -cipher DHE-DSS-AES256-GCM-SHA384 \
> -dhparam dhparam.pem -key dsakey.pem -cert dsacert.pem
>
> or more typically:
>
> -cipher 'ALL:!RC4:!aNULL'
>
> * You should also supply DH parameters as above:
This step is optional. It will work just fine with default parameters if
you don't specify them.
I only add option -cipher to s_server. That works for me.
Thanks!
Matt
>
> -dhparam dhparam.pem
>
> I generated these with:
>
> $ openssl genpkey -genparam -algorithm dh \
> -pkeyopt dh_paramgen_prime_len:2048 -out dhparam.pem
>
