1 (edited by Zeddi 2014-03-11 01:26:27)

Topic: [SOLVED] Using pre-generated DH parameters for TLS connection setup

I saw that the benchmark.c-file from wolfSSL embedded SSL contains a function for testing DH key generation/agreement (bench_dh).
For this test, pre-generated DH parameters from the file certs/dh2048.der are used.

I am now wondering, if I can speed up the setup of TLS connections with ECDH-ECDSA-AES256-SHA and ECDHE-ECDSA-AES256-SHA cipher suites using pre-generated DH parameters.

I searched the code a little, but I didn't find a place where pre-generated DH parameters are used other than the benchmark function.

Is it possible to somehow use a pre-generated DH parameters file for TLS connections or am I misunderstanding this topic?

Thanks!
- Daniel

Share

Re: [SOLVED] Using pre-generated DH parameters for TLS connection setup

Hi,

When using standard DH, pre-generated parameters can be loaded using one of the following functions from <wolfssl/ssl.h> with an SSL session (WOLFSSL) object:

int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, const unsigned char* g, int gSz);
int wolfSSL_SetTmpDH_buffer(WOLFSSL* ssl, const unsigned char* b, long sz, int format);
int wolfSSL_SetTmpDH_file(WOLFSSL*, const char* f, int format);

Or with one of these, if loading into a SSL context (WOLFSSL_CTX):

int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz, const unsigned char* g, int gSz);
int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX* ctx, const unsigned char* b, long sz, int format);
int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX*, const char* f, int format);

Note that we don't support loading pre-generated ECDH parameters, as wolfSSL currently only supports P-256, and parameters are automatically generated.

Best Regards,
Chris