Recent OpenSSL versions tend to select a DH modulus size that matches (from a security point of view) the strength of the server's key pair (used to sign the ServerKeyExchange message). In the example above, the server has a 2048-bit RSA key, so OpenSSL elected to use a 2048-bit DH modulus (in this case, the well-known modulus described in RFC Git - openssl.git/commitdiff CVE-2018-0732 Signed-off-by: Guido Vranken (cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) Reviewed-by: Tim Hudson

$ openssl ciphers -v "HIGH,-SHA,-AES256" DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc

openssl -h openssl:Error: '-h' is an invalid command. Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac ts verify version x509 RFC 5114 Additional Diffie-Hellman Groups January 2008 The initial impetus for the definition of D-H groups (in the IETF) arose in the IPsec (IKE) context, because of the use of an ephemeral, unauthenticated D-H exchange as the starting point for that protocol. To enable Squid to use modern DH/EDH exchanges/ciphers you must (depending of your openssl build) create DH params file and specify it with http(s)_port. To do that first create DH params file: # openssl dhparam -outform PEM -out dhparam.pem 2048. Then add dhparams= or tls-dh= option to your bumped port specification (depending Squid's version): OpenSSL. The following sections describe how to use OpenSSL to generate a CSR for a single host name. If you want to generate a CSR for multiple host names, we recommend using the Cloud Control Panel or the MyRackspace Portal. Install OpenSSL. Check whether OpenSSL is installed by using the following command: CentOS® and Red Hat® Enterprise

First generate a public/private DH keypair locally, and have the remote party do the same. We need to use the openssl command-line utility. # generate private/public key keypair openssl dhparam -out dhparam.pem 2048 openssl genpkey -paramfile dhparam.pem -out privatekey.pem # …

OpenSSL Flaw Enables HTTPS Decryption - BankInfoSecurity OpenSSL on Jan. 28 also released a new fix for the so-called Logjam flaw, referring to yet another man-in-the-middle downgrade attack against TLS that can be used to force Diffie-Hellman crypto Note: The function DH_get_2048_256 is scheduled for release in OpenSSL 1.0.2; it is not available in 1.0.1e or earlier. Generating a Shared Secret . Having obtained a private/public key pair you need to also obtain the public key of the other communicating party. Refer to EVP Key Agreement for information on how to agree a shared secret. OpenSSL 183 00077 -----END DH PARAMETERS----- 00078 **** End of data **** Note: You must only include DH parameters in your .pem file, if VSE is the server. If VSE is the client (for example, as LDAP or FTP client), the remote server is responsible for providing the DH parameters during the session setup, and OpenSSL on VSE uses DHE-RSA