{ 2006 07 16 }

Diffie-Hellman

I’m trying to write some unit tests for Jessie, but I’ve hit a wall: apparently, no software exists that can generate an X.509 certificate with Diffie-Hellman keys, instead of RSA or DSS.

You see, there’s two ways to exchange TLS keys with Diffie-Hellman: one is “ephemeral,” where the server and client generate a brand-new key pair on each connection, and the server signs those parameters with its key, and RSA or DSS key that it includes in its certificate. The other uses the Diffie-Hellman keys present in the server’s certificate, which are signed by the certificate authority. But, I can’t seem to be able to generate such a certificate with OpenSSL, GNU’s keytool implementation, or even Sun’s keytool!

So, since it seems like no TLS software supports generating these certificates, that no-one ever tests these cipher suites in their implementation, and probably don’t work.

Posted by Casey on Sunday, July 16th, 2006, at 7:26 pm.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.