[gnutls-help] dh_params - docs

Andreas Metzler ametzler at bebt.de
Sun Aug 16 14:44:33 CEST 2020


the API reference manaual says this about gnutls_certificate_set_dh_params():

| gnutls_certificate_set_dh_params is deprecated and should not be used in
| newly-written code.
| This function is unnecessary and discouraged on GnuTLS 3.6.0 or later.
| Since 3.6.0, DH parameters are negotiated following RFC7919.

Which I would read as "when upgrading code to
(only) work with gnutls 3.6.0 one should delete any
gnutls_certificate_set_dh_params()-invocations since they are
unnecessary because GnuTLS will automatically do RFC7919 negotiation."

However it looks like (see below) that is not true, there is no
automation but gnutls_certificate_set_dh_params needs to be replaced with
gnutls_certificate_set_known_dh_params ().

To verify this, take ex-serv-x509 and remove 
gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);

After this change
openssl s_client -connect localhost:5556  -cipher DHE-RSA-AES256-GCM-SHA384 -tls1_2
will fail.

cu Andreas

`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-help mailing list