SSL_CTX_SET_TMP_DH_CALLBACK - Online Linux Manual PageSection : 3ossl
Updated : 2022-03-15
Source : 3.0.2
Note : OpenSSL

NAMESSL_CTX_set_dh_auto, SSL_set_dh_auto, SSL_CTX_set0_tmp_dh_pkey, SSL_set0_tmp_dh_pkey, SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_set_tmp_dh ​− handle DH keys for ephemeral key exchange

SYNOPSIS​ #include <openssl/ssl.h> ​ ​ long SSL_CTX_set_dh_auto(SSL_CTX *ctx, int onoff); ​ long SSL_set_dh_auto(SSL *s, int onoff); ​ int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); ​ int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey); The following functions have been deprecated since OpenSSL 3.0, and can be hidden entirely by defining OPENSSL_API_COMPAT with a suitable version value, see openssl_user_macros(7): ​ void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, ​ DH *(*tmp_dh_callback)(SSL *ssl, int is_export, ​ int keylength)); ​ long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); ​ ​ void SSL_set_tmp_dh_callback(SSL *ctx, ​ DH *(*tmp_dh_callback)(SSL *ssl, int is_export, ​ int keylength)); ​ long SSL_set_tmp_dh(SSL *ssl, DH *dh);

DESCRIPTIONThe functions described on this page are relevant for servers only. Some ciphersuites may use ephemeral Diffie-Hellman (DH) key exchange. In these cases, the session data is negotiated using the ephemeral/temporary DH key and the key supplied and certified by the certificate chain is only used for signing. Anonymous ciphers (without a permanent server key) also use ephemeral ​DH keys. Using ephemeral DH key exchange yields forward secrecy as the connection can only be decrypted when the DH key is known. By generating a temporary ​DH key inside the server application that is lost when the application is left, it becomes impossible for an attacker to decrypt past sessions, even if they get hold of the normal (certified) key, as this key was only used for signing. In order to perform a DH key exchange the server must use a DH group (DH parameters) and generate a DH key. The server will always generate a new DH key during the negotiation. As generating DH parameters is extremely time consuming, an application should not generate the parameters on the fly. DH parameters can be reused, as the actual key is newly generated during the negotiation. Typically applications should use well know DH parameters that have built-in support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto() configure OpenSSL to use the default built-in DH parameters for the SSL_CTX and SSL objects respectively. Passing a value of 1 in the onoff parameter switches the feature on, and passing a value of 0 switches it off. The default setting is off. If auto DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key. Applications may supply their own DH parameters instead of using the built-in values. This approach is discouraged and applications should in preference use the built-in parameter support described above. Applications wishing to supply their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or ​SSL_set0_tmp_dh_pkey() to supply the parameters for the SSL_CTX or SSL respectively. The parameters should be supplied in the dhpkey argument as an EVP_PKEY containg DH parameters. Ownership of the dhpkey value is passed to the SSL_CTX or SSL object as a result of this call, and so the caller should not free it if the function call is succesful. The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same thing as() and SSL_set0_tmp_dh_pkey() except that the ​DH parameters are supplied in a DH object instead in the dh argument, and ownership of the DH object is retained by the application. Applications should use auto parameters instead, or call SSL_CTX_set0_tmp_dh_pkey() or ​SSL_set0_tmp_dh_pkey() as appropriate. An application may instead specify the DH parameters via a callback function using the functions SSL_CTX_set_tmp_dh_callback() or SSL_set_tmp_dh_callback() to set the callback for the SSL_CTX or SSL object respectively. These functions are deprecated. Applications should instead use auto parameters, or specify the parameters via SSL_CTX_set0_tmp_dh_pkey() or SSL_set0_tmp_dh_pkey() as appropriate. The callback will be invoked during a connection when DH parameters are required. The SSL object for the current connection is supplied as an argument. Previous versions of OpenSSL used the is_export and keylength arguments to control parameter generation for export and non-export cipher suites. Modern OpenSSL does not support export ciphersuites and so these arguments are unused and can be ignored by the callback. The callback should return the parameters to be used in a DH object. Ownership of the DH object is retained by the application and should later be freed.

RETURN VALUESAll of these functions/macros return 1 for success or 0 on error.

SEE ALSOssl(7), SSL_CTX_set_cipher_list(3), ​SSL_CTX_set_options(3), ​openssl−ciphers(1), openssl−dhparam(1)

COPYRIGHTCopyright 2001−2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the License). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.
0
Johanes Gumabo
Data Size   :   16,650 byte
man-SSL_set_tmp_dh_callback.3osslBuild   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   4 / 199,675
Visitor ID   :     :  
Visitor IP   :   3.138.113.44   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.

ERROR : Need New Coding :         (parse_manual_page_|249|S___SL_CTX_set0_tmp_dh_pkey.3ossl|36/37|el══─{─══.|.el══─{─══. ds -- \|\(em\| )         (htmlprn|149|S___SL_CTX_set0_tmp_dh_pkey.3ossl|36/37|.el══─{─══. ds --  —  |.el══─{─══. ds -- \|\(em\| )         (parse_manual_page_|249|S___SL_CTX_set0_tmp_dh_pkey.3ossl|43|br══─}─══|'br══─}─══ )         (htmlprn|149|S___SL_CTX_set0_tmp_dh_pkey.3ossl|43|'br══─}─══ |'br══─}─══ )