]>
Commit | Line | Data |
---|---|---|
ef7eaa4c DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b6b66573 | 5 | openssl-dhparam - DH parameter manipulation and generation |
ef7eaa4c DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
41918458 | 9 | B<openssl dhparam> |
169394d4 | 10 | [B<-help>] |
e8769719 RS |
11 | [B<-inform> B<DER>|B<PEM>] |
12 | [B<-outform> B<DER>|B<PEM>] | |
41918458 BM |
13 | [B<-in> I<filename>] |
14 | [B<-out> I<filename>] | |
15 | [B<-dsaparam>] | |
fc1d88f0 | 16 | [B<-check>] |
ef7eaa4c DSH |
17 | [B<-noout>] |
18 | [B<-text>] | |
19 | [B<-C>] | |
09483c58 | 20 | [B<-2>] |
a38c878c | 21 | [B<-3>] |
09483c58 | 22 | [B<-5>] |
fed8bd90 | 23 | [B<-rand> I<files>] |
e8769719 RS |
24 | [B<-writerand> I<file>] |
25 | [B<-engine> I<id>] | |
41918458 | 26 | [I<numbits>] |
ef7eaa4c | 27 | |
9f3c076b | 28 | =for openssl ifdef dsaparam engine |
1738c0ce | 29 | |
ef7eaa4c DSH |
30 | =head1 DESCRIPTION |
31 | ||
32 | This command is used to manipulate DH parameter files. | |
33 | ||
34 | =head1 OPTIONS | |
35 | ||
36 | =over 4 | |
37 | ||
169394d4 MR |
38 | =item B<-help> |
39 | ||
40 | Print out a usage message. | |
41 | ||
777182a0 | 42 | =item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> |
ef7eaa4c | 43 | |
777182a0 RS |
44 | The input format and output format; the default is B<PEM>. |
45 | The object is compatible with the PKCS#3 B<DHparameter> structure. | |
46 | See L<openssl(1)/Format Options> for details. | |
ef7eaa4c | 47 | |
41918458 | 48 | =item B<-in> I<filename> |
ef7eaa4c DSH |
49 | |
50 | This specifies the input filename to read parameters from or standard input if | |
51 | this option is not specified. | |
52 | ||
41918458 | 53 | =item B<-out> I<filename> |
ef7eaa4c DSH |
54 | |
55 | This specifies the output filename parameters to. Standard output is used | |
56 | if this option is not present. The output filename should B<not> be the same | |
57 | as the input filename. | |
58 | ||
41918458 BM |
59 | =item B<-dsaparam> |
60 | ||
61 | If this option is used, DSA rather than DH parameters are read or created; | |
62 | they are converted to DH format. Otherwise, "strong" primes (such | |
63 | that (p-1)/2 is also prime) will be used for DH parameter generation. | |
64 | ||
65 | DH parameter generation with the B<-dsaparam> option is much faster, | |
66 | and the recommended exponent length is shorter, which makes DH key | |
67 | exchange more efficient. Beware that with such DSA-style DH | |
68 | parameters, a fresh DH key should be created for each use to | |
69 | avoid small-subgroup attacks that may be possible otherwise. | |
70 | ||
fc1d88f0 RS |
71 | =item B<-check> |
72 | ||
eeb21772 MC |
73 | Performs numerous checks to see if the supplied parameters are valid and |
74 | displays a warning if not. | |
fc1d88f0 | 75 | |
a38c878c | 76 | =item B<-2>, B<-3>, B<-5> |
09483c58 | 77 | |
a38c878c | 78 | The generator to use, either 2, 3 or 5. If present then the |
b5a379aa | 79 | input file is ignored and parameters are generated instead. If not |
2f0ea936 | 80 | present but I<numbits> is present, parameters are generated with the |
b5a379aa | 81 | default generator 2. |
09483c58 | 82 | |
a397aca4 | 83 | =item B<-rand> I<files>, B<-writerand> I<file> |
09483c58 | 84 | |
a397aca4 | 85 | See L<openssl(1)/Random State Options> for more information. |
3ee1eac2 | 86 | |
41918458 | 87 | =item I<numbits> |
09483c58 | 88 | |
c4de074e | 89 | This option specifies that a parameter set should be generated of size |
b5a379aa EK |
90 | I<numbits>. It must be the last option. If this option is present then |
91 | the input file is ignored and parameters are generated instead. If | |
6de1fe90 | 92 | this option is not present but a generator (B<-2>, B<-3> or B<-5>) is |
b5a379aa | 93 | present, parameters are generated with a default length of 2048 bits. |
6de1fe90 | 94 | The minimim length is 512 bits. The maximum length is 10000 bits. |
09483c58 | 95 | |
ef7eaa4c DSH |
96 | =item B<-noout> |
97 | ||
c4de074e | 98 | This option inhibits the output of the encoded version of the parameters. |
ef7eaa4c DSH |
99 | |
100 | =item B<-text> | |
101 | ||
c4de074e | 102 | This option prints out the DH parameters in human readable form. |
ef7eaa4c DSH |
103 | |
104 | =item B<-C> | |
105 | ||
c4de074e | 106 | This option converts the parameters into C code. The parameters can then |
bbd86bf5 | 107 | be loaded by calling the get_dhNNNN() function. |
ef7eaa4c | 108 | |
e8769719 | 109 | =item B<-engine> I<id> |
bfa35550 | 110 | |
2f0ea936 | 111 | Specifying an engine (by its unique I<id> string) will cause B<dhparam> |
bfa35550 RL |
112 | to attempt to obtain a functional reference to the specified engine, |
113 | thus initialising it if needed. The engine will then be set as the default | |
114 | for all available algorithms. | |
115 | ||
ef7eaa4c DSH |
116 | =back |
117 | ||
09483c58 DSH |
118 | =head1 WARNINGS |
119 | ||
35a810bb RL |
120 | This command combines the functionality of the L<openssl-dh(1)> and the |
121 | L<openssl-gendh(1)> commands in previous OpenSSL versions. | |
122 | The L<openssl-dh(1)> and L<openssl-gendh(1)> commands are retained for now but | |
123 | may have different purposes in future versions of OpenSSL. | |
09483c58 | 124 | |
ef7eaa4c DSH |
125 | =head1 NOTES |
126 | ||
ef7eaa4c DSH |
127 | OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 |
128 | DH. | |
129 | ||
130 | This program manipulates DH parameters not keys. | |
131 | ||
132 | =head1 BUGS | |
133 | ||
ef7eaa4c DSH |
134 | There should be a way to generate and manipulate DH keys. |
135 | ||
136 | =head1 SEE ALSO | |
137 | ||
b6b66573 DMSP |
138 | L<openssl(1)>, |
139 | L<openssl-dsaparam(1)> | |
ef7eaa4c | 140 | |
e2f92610 RS |
141 | =head1 COPYRIGHT |
142 | ||
a38c878c | 143 | Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 144 | |
449040b4 | 145 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
146 | this file except in compliance with the License. You can obtain a copy |
147 | in the file LICENSE in the source distribution or at | |
148 | L<https://www.openssl.org/source/license.html>. | |
149 | ||
150 | =cut |