[gnutls-help] dh_params - docs
Andreas Metzler
ametzler at bebt.de
Sun Aug 16 14:44:33 CEST 2020
Hello,
the API reference manaual says this about gnutls_certificate_set_dh_params():
| gnutls_certificate_set_dh_params is deprecated and should not be used in
| newly-written code.
|
| This function is unnecessary and discouraged on GnuTLS 3.6.0 or later.
| Since 3.6.0, DH parameters are negotiated following RFC7919.
Which I would read as "when upgrading code to
(only) work with gnutls 3.6.0 one should delete any
gnutls_certificate_set_dh_params()-invocations since they are
unnecessary because GnuTLS will automatically do RFC7919 negotiation."
However it looks like (see below) that is not true, there is no
automation but gnutls_certificate_set_dh_params needs to be replaced with
gnutls_certificate_set_known_dh_params ().
To verify this, take ex-serv-x509 and remove
gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);
After this change
openssl s_client -connect localhost:5556 -cipher DHE-RSA-AES256-GCM-SHA384 -tls1_2
will fail.
cu Andreas
https://github.com/rbsec/sslscan/issues/214
https://bugs.debian.org/968145
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-help
mailing list