1=pod 2 3=head1 NAME 4 5SSL_CTX_set_dh_auto, SSL_set_dh_auto, SSL_CTX_set0_tmp_dh_pkey, 6SSL_set0_tmp_dh_pkey, SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, 7SSL_set_tmp_dh_callback, SSL_set_tmp_dh 8- handle DH keys for ephemeral key exchange 9 10=head1 SYNOPSIS 11 12 #include <openssl/ssl.h> 13 14 long SSL_CTX_set_dh_auto(SSL_CTX *ctx, int onoff); 15 long SSL_set_dh_auto(SSL *s, int onoff); 16 int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); 17 int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey); 18 19The following functions have been deprecated since OpenSSL 3.0, and can be 20hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, 21see L<openssl_user_macros(7)>: 22 23 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 24 DH *(*tmp_dh_callback)(SSL *ssl, int is_export, 25 int keylength)); 26 long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); 27 28 void SSL_set_tmp_dh_callback(SSL *ctx, 29 DH *(*tmp_dh_callback)(SSL *ssl, int is_export, 30 int keylength)); 31 long SSL_set_tmp_dh(SSL *ssl, DH *dh); 32 33=head1 DESCRIPTION 34 35The functions described on this page are relevant for servers only. 36 37Some ciphersuites may use ephemeral Diffie-Hellman (DH) key exchange. In these 38cases, the session data is negotiated using the ephemeral/temporary DH key and 39the key supplied and certified by the certificate chain is only used for 40signing. Anonymous ciphers (without a permanent server key) also use ephemeral 41DH keys. 42 43Using ephemeral DH key exchange yields forward secrecy as the connection 44can only be decrypted when the DH key is known. By generating a temporary 45DH key inside the server application that is lost when the application 46is left, it becomes impossible for an attacker to decrypt past sessions, 47even if they get hold of the normal (certified) key, as this key was 48only used for signing. 49 50In order to perform a DH key exchange the server must use a DH group 51(DH parameters) and generate a DH key. The server will always generate 52a new DH key during the negotiation. 53 54As generating DH parameters is extremely time consuming, an application 55should not generate the parameters on the fly. DH parameters can be reused, as 56the actual key is newly generated during the negotiation. 57 58Typically applications should use well known DH parameters that have built-in 59support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto() 60configure OpenSSL to use the default built-in DH parameters for the B<SSL_CTX> 61and B<SSL> objects respectively. Passing a value of 2 or 1 in the I<onoff> 62parameter switches it on. If the I<onoff> parameter is set to 2, it will force 63the DH key size to 1024 if the B<SSL_CTX> or B<SSL> security level 64L<SSL_CTX_set_security_level(3)> is 0 or 1. Passing a value of 0 switches 65it off. The default setting is off. 66 67If "auto" DH parameters are switched on then the parameters will be selected to 68be consistent with the size of the key associated with the server's certificate. 69If there is no certificate (e.g. for PSK ciphersuites), then it it will be 70consistent with the size of the negotiated symmetric cipher key. 71 72Applications may supply their own DH parameters instead of using the built-in 73values. This approach is discouraged and applications should in preference use 74the built-in parameter support described above. Applications wishing to supply 75their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or 76SSL_set0_tmp_dh_pkey() to supply the parameters for the B<SSL_CTX> or B<SSL> 77respectively. The parameters should be supplied in the I<dhpkey> argument as 78an B<EVP_PKEY> containing DH parameters. Ownership of the I<dhpkey> value is 79passed to the B<SSL_CTX> or B<SSL> object as a result of this call, and so the 80caller should not free it if the function call is successful. 81 82The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same 83thing as SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey() except that the 84DH parameters are supplied in a B<DH> object instead in the I<dh> argument, and 85ownership of the B<DH> object is retained by the application. Applications 86should use "auto" parameters instead, or call SSL_CTX_set0_tmp_dh_pkey() or 87SSL_set0_tmp_dh_pkey() as appropriate. 88 89An application may instead specify the DH parameters via a callback function 90using the functions SSL_CTX_set_tmp_dh_callback() or SSL_set_tmp_dh_callback() 91to set the callback for the B<SSL_CTX> or B<SSL> object respectively. These 92functions are deprecated. Applications should instead use "auto" parameters, or 93specify the parameters via SSL_CTX_set0_tmp_dh_pkey() or SSL_set0_tmp_dh_pkey() 94as appropriate. 95 96The callback will be invoked during a connection when DH parameters are 97required. The B<SSL> object for the current connection is supplied as an 98argument. Previous versions of OpenSSL used the B<is_export> and B<keylength> 99arguments to control parameter generation for export and non-export 100cipher suites. Modern OpenSSL does not support export ciphersuites and so these 101arguments are unused and can be ignored by the callback. The callback should 102return the parameters to be used in a DH object. Ownership of the DH object is 103retained by the application and should later be freed. 104 105=head1 RETURN VALUES 106 107All of these functions/macros return 1 for success or 0 on error. 108 109=head1 SEE ALSO 110 111L<ssl(7)>, L<SSL_CTX_set_cipher_list(3)>, 112L<SSL_CTX_set_options(3)>, 113L<openssl-ciphers(1)>, L<openssl-dhparam(1)> 114 115=head1 COPYRIGHT 116 117Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. 118 119Licensed under the Apache License 2.0 (the "License"). You may not use 120this file except in compliance with the License. You can obtain a copy 121in the file LICENSE in the source distribution or at 122L<https://www.openssl.org/source/license.html>. 123 124=cut 125