When do I need to install dh parameters?

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Oct 7 09:09:00 CEST 2010

On 10/03/2010 04:19 PM, Sam Varshavchik wrote:

>> Depends on the ciphersuite chosen (by you or the peer). The DHE
>> ciphersuites require them.
> Thanks, but my question was, fundamentally, why would
> AES-256-CBC/RSA/SHA1 be unavailable, and common ciphersuites for a
> session would include only DHE ciphersuites, like,
> AES-256-CBC/DHE-RSA/SHA1, so DH parameters are required.

It depends on your and your peer's configuration. If the peer accepts
only DHE, or has them at higher priority than the non-DHE ciphersuites
you might end-up negotiating them. You should disable them if you don't
want to negotiate them.

> The docs I read were easily understood in terms of requirements for
> temporary RSA parametes -- to support weak ciphersuites. But for DH
> parameters, the documented requirement was described as just to support
> DHE ciphersuites, but without explaining when DHE ciphersuites are
> required.

There is no such "required". They are used if you asked for them
(enabled in the priority strings).

> By trial and error, I think I found at least a part of the answer: it
> seems to me that if the server's certificate includes the
> GNUTLS_KEY_KEY_ENCIPHERMENT flag, set by gnutls_x509_crt_set_key(), then
> the non-DHE cipher suites are available. Without this flag, only DHE
> ciphersuites are available for negotiation.

This flag orders the server not to use signing with this key. Because
the DHE ciphersuites use signing they are effectively disabled. It's
a side-effect. If you want to disable them use the priority strings.

btw. I think it is a bad idea disabling them. They offer a higher
security level than the plain RSA ciphersuites, due to perfect forward
secrecy (that is if someone steals your private key at some point, he
will not be able to decrypt previously cached sessions).


More information about the Gnutls-help mailing list