[gnutls-help] dh parameters
Sean Greenslade
sean at seangreenslade.com
Thu Aug 29 21:14:37 CEST 2019
On August 27, 2019 10:39:49 PM PDT, Gregory Sloop <gregs at sloop.net> wrote:
>For some applications - say OpenVPN servers - I need a dh.pem [dh
>parameters file]
>It looks like GNUTLS doesn't have the option to generate dh params like
>OpenSSL does, but has the following as a option:
>certtool --get-dh-params --outfile dh.pem --sec-param ultra
>
>1) Will that ^^ do what I want?
>
>2) So, is there any difference between that and the openssl command to
>generate dh params?
>openssl dhparam -out /config/auth/dh.pem 4096
>
>3) If the certtool example above isn't adequate, is there a good way to
>accomplish what I want in certtool, or otherwise?
>
>4) Can someone point me to something that might be accessible to a mere
>mortal [i.e. non-cryptographer] for explanation? :)
>
>---
>#1 and 3 are the most important for me to get answers to.
>
>Thanks
>-Gre
As far as I know, both tools can generate DH param files usable by gnutls.
Regarding number 4, this page has some decent explanations if you have a little background in public-private crypto:
https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters
The really short version is that these parameters are used during the initial key exchange between the client and server. They are not secrets, however. The reason you may want to generate your own is to prevent certain types of attacks. That said, the attack is currently unfeasible for 4096-bit primes, so it's likely a moot point. See the above link for more details.
--Sean
More information about the Gnutls-help
mailing list