[gnutls-help] dh_params - docs

Daiki Ueno ueno at gnu.org
Mon Aug 17 14:36:25 CEST 2020

Andreas Metzler <ametzler at bebt.de> writes:

> the API reference manaual says this about gnutls_certificate_set_dh_params():
> | gnutls_certificate_set_dh_params is deprecated and should not be used in
> | newly-written code.
> | 
> | This function is unnecessary and discouraged on GnuTLS 3.6.0 or later.
> | Since 3.6.0, DH parameters are negotiated following RFC7919.
> Which I would read as "when upgrading code to
> (only) work with gnutls 3.6.0 one should delete any
> gnutls_certificate_set_dh_params()-invocations since they are
> unnecessary because GnuTLS will automatically do RFC7919 negotiation."
> However it looks like (see below) that is not true, there is no
> automation but gnutls_certificate_set_dh_params needs to be replaced with
> gnutls_certificate_set_known_dh_params ().
> To verify this, take ex-serv-x509 and remove 
> gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);
> After this change
> openssl s_client -connect localhost:5556 -cipher
> DHE-RSA-AES256-GCM-SHA384 -tls1_2
> will fail.

That was also my expectation, though I suspect that it's saying that it
only works when the client advertises the "supported_groups" extension
according to the RFC, which is not sent with the above command.

In the OpenSSL git master, s_client provides the -groups option for
that, and you will be able to connect to the server with:

  $ openssl s_client -connect localhost:5556 -tls1_3 -groups ffdhe2048

though the option doesn't seem to work with -tls1_2.

Daiki Ueno

More information about the Gnutls-help mailing list