mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-27 10:46:27 +08:00
Merge remote-tracking branch 'origin/master'
# Conflicts: # README.md
This commit is contained in:
Zhi Guan
@@ -48,25 +48,8 @@ even if he gets hold of the normal (certified) key, as this key was
|
||||
only used for signing.
|
||||
|
||||
In order to perform a DH key exchange the server must use a DH group
|
||||
(DH parameters) and generate a DH key.
|
||||
The server will always generate a new DH key during the negotiation
|
||||
if either the DH parameters are supplied via callback or the
|
||||
SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both).
|
||||
It will immediately create a DH key if DH parameters are supplied via
|
||||
SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set.
|
||||
In this case,
|
||||
it may happen that a key is generated on initialization without later
|
||||
being needed, while on the other hand the computer time during the
|
||||
negotiation is being saved.
|
||||
|
||||
If "strong" primes were used to generate the DH parameters, it is not strictly
|
||||
necessary to generate a new key for each handshake but it does improve forward
|
||||
secrecy. If it is not assured that "strong" primes were used,
|
||||
SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup
|
||||
attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the
|
||||
computer time needed during negotiation, but it is not very large, so
|
||||
application authors/users should consider always enabling this option.
|
||||
The option is required to implement perfect forward secrecy (PFS).
|
||||
(DH parameters) and generate a DH key. The server will always generate
|
||||
a new DH key during the negotiation.
|
||||
|
||||
As generating DH parameters is extremely time consuming, an application
|
||||
should not generate the parameters on the fly but supply the parameters.
|
||||
@@ -74,18 +57,17 @@ DH parameters can be reused, as the actual key is newly generated during
|
||||
the negotiation. The risk in reusing DH parameters is that an attacker
|
||||
may specialize on a very often used DH group. Applications should therefore
|
||||
generate their own DH parameters during the installation process using the
|
||||
openssl L<dhparam(1)|dhparam(1)> application. This application
|
||||
openssl L<dhparam(1)> application. This application
|
||||
guarantees that "strong" primes are used.
|
||||
|
||||
Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current
|
||||
version of the OpenSSL distribution contain the 'SKIP' DH parameters,
|
||||
which use safe primes and were generated verifiably pseudo-randomly.
|
||||
These files can be converted into C code using the B<-C> option of the
|
||||
L<dhparam(1)|dhparam(1)> application. Generation of custom DH
|
||||
L<dhparam(1)> application. Generation of custom DH
|
||||
parameters during installation should still be preferred to stop an
|
||||
attacker from specializing on a commonly used group. Files dh1024.pem
|
||||
and dh512.pem contain old parameters that must not be used by
|
||||
applications.
|
||||
attacker from specializing on a commonly used group. File dh1024.pem
|
||||
contains old parameters that must not be used by applications.
|
||||
|
||||
An application may either directly specify the DH parameters or
|
||||
can supply the DH parameters via a callback function.
|
||||
@@ -93,10 +75,9 @@ can supply the DH parameters via a callback function.
|
||||
Previous versions of the callback used B<is_export> and B<keylength>
|
||||
parameters to control parameter generation for export and non-export
|
||||
cipher suites. Modern servers that do not support export ciphersuites
|
||||
are advised to either use SSL_CTX_set_tmp_dh() in combination with
|
||||
SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore
|
||||
B<keylength> and B<is_export> and simply supply at least 2048-bit
|
||||
parameters in the callback.
|
||||
are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
|
||||
the callback but ignore B<keylength> and B<is_export> and simply
|
||||
supply at least 2048-bit parameters in the callback.
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
@@ -123,12 +104,11 @@ partly left out.)
|
||||
/* Error. */
|
||||
}
|
||||
if (dh_2048 == NULL) {
|
||||
/* Error. */
|
||||
/* Error. */
|
||||
}
|
||||
if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
|
||||
/* Error. */
|
||||
}
|
||||
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
|
||||
...
|
||||
|
||||
=head1 RETURN VALUES
|
||||
@@ -141,9 +121,17 @@ on failure. Check the error queue to find out the reason of failure.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
|
||||
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
|
||||
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
|
||||
L<ciphers(1)|ciphers(1)>, L<dhparam(1)|dhparam(1)>
|
||||
L<ssl(3)>, L<SSL_CTX_set_cipher_list(3)>,
|
||||
L<SSL_CTX_set_options(3)>,
|
||||
L<ciphers(1)>, L<dhparam(1)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
in the file LICENSE in the source distribution or at
|
||||
L<https://www.openssl.org/source/license.html>.
|
||||
|
||||
=cut
|
||||
|
||||
Reference in New Issue
Block a user