Next: , Previous: , Up: Advanced topics   [Contents][Index]


6.12.4 Parameter generation

Few TLS ciphersuites require additional parameters that need to be generated or provided by the application. In particular, the Diffie-Hellman based ciphersuites (ANON-DH or DHE), require the group parameters to be provided. Applications can specify these parameters in a TLS credentials structure by calling gnutls_certificate_set_known_dh_params, gnutls_anon_set_server_known_dh_params, or gnutls_psk_set_server_known_dh_params, depending on the type of the credentials.

int gnutls_certificate_set_known_dh_params (gnutls_certificate_credentials_t res, gnutls_sec_param_t sec_param)
int gnutls_anon_set_server_known_dh_params (gnutls_anon_server_credentials_t res, gnutls_sec_param_t sec_param)
int gnutls_psk_set_server_known_dh_params (gnutls_psk_server_credentials_t res, gnutls_sec_param_t sec_param)

The functions above will set DH parameters pre-configured in the library based on the security level provided. The GnuTLS’ included parameters are the FFDHE parameters from [RFC7919].

6.12.4.1 Legacy parameter generation

Note that older than 3.5.6 versions of GnuTLS provided functions to generate or import arbitrary DH parameters from a file. This practice is still supported but discouraged in current versions. There is no known advantage from using random parameters, while there have been several occasions where applications were utilizing incorrect, or insecure parameters. This is the main reason GnuTLS includes the well-known parameters of [RFC7919] and recommends to applications utilizing them.

In older applications which require to specify explicit DH parameters, we recommend using certtool (of GnuTLS 3.5.6 or later) with the --get-dh-params option to obtain the FFDHE parameters descussed above. The output parameters of the tool are in PKCS#3 format and can be imported by most existing applications.

The following functions are still supported but considered obsolete.

int gnutls_dh_params_generate2 (gnutls_dh_params_t dparams, unsigned int bits)
int gnutls_dh_params_import_pkcs3 (gnutls_dh_params_t params, const gnutls_datum_t * pkcs3_params, gnutls_x509_crt_fmt_t format)
void gnutls_certificate_set_dh_params (gnutls_certificate_credentials_t res, gnutls_dh_params_t dh_params)

Next: , Previous: , Up: Advanced topics   [Contents][Index]