On Wed, Jul 13, 2022 at 06:47:15PM +0200, Dirk Stöcker wrote: > > https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L148-L205 > > Thanks a lot. Works in principle now with one exception. The previous > approach worked for a file, where first comes the PEM certificate and > afterwards the DH params. The new approach only works when the file has > nothing than the DH params inside. Is there a chance to get that behaviour > back or do I need to load the file and strip the certificate myself? The work-around is to put the DH parameters first. Otherwise, you'd need to resort to the more general OSSL_STORE API, which loads objects of various types, and you can then ignore the ones you don't care for. Another option is to iterate through the PEM file via the generic PEM API, and then decode just the desired objects: https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L344-L378. -- Viktor.