When do I need to install dh parameters?

Sam Varshavchik mrsam at courier-mta.com
Sun Oct 3 00:14:57 CEST 2010

Conceptually, I'm trying to understand when I need to install DH parameters 
if I'm using RSA certificates, using gnutls_certificate_set_dh_params(). I 
understand that DH parameters are required when using DH server certs, but 
I've got a bunch of test code (an internal testsuite) that uses RSA certs, 
with gnutls on both the client and server side, setting up TLS sessions in 
various ways -- installing a certificate up front, on the server side, or 
using a callback to return a certificate for particular TLS sessionm, etc.

I find that sometimes I can get through a handshake without loading DH 
parameters, other times handshake fails unless I install them. As far as I 
can see that's the only major difference between my code that works without 
DH parameters, and the one that fails to handshake unless DH parameters are 
installed. Am I on the right track, or are there also other situations?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20101002/c5d6ab7a/attachment.pgp>

More information about the Gnutls-help mailing list