]>
Commit | Line | Data |
---|---|---|
ef7eaa4c DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b6b66573 | 5 | openssl-dhparam - DH parameter manipulation and generation |
ef7eaa4c DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
41918458 | 9 | B<openssl dhparam> |
169394d4 | 10 | [B<-help>] |
e8769719 RS |
11 | [B<-inform> B<DER>|B<PEM>] |
12 | [B<-outform> B<DER>|B<PEM>] | |
41918458 BM |
13 | [B<-in> I<filename>] |
14 | [B<-out> I<filename>] | |
15 | [B<-dsaparam>] | |
fc1d88f0 | 16 | [B<-check>] |
ef7eaa4c DSH |
17 | [B<-noout>] |
18 | [B<-text>] | |
19 | [B<-C>] | |
09483c58 | 20 | [B<-2>] |
a38c878c | 21 | [B<-3>] |
09483c58 | 22 | [B<-5>] |
e8769719 RS |
23 | [B<-rand> I<file...>] |
24 | [B<-writerand> I<file>] | |
25 | [B<-engine> I<id>] | |
41918458 | 26 | [I<numbits>] |
ef7eaa4c | 27 | |
1738c0ce RS |
28 | =for comment ifdef dsaparam engine |
29 | ||
ef7eaa4c DSH |
30 | =head1 DESCRIPTION |
31 | ||
32 | This command is used to manipulate DH parameter files. | |
33 | ||
34 | =head1 OPTIONS | |
35 | ||
36 | =over 4 | |
37 | ||
169394d4 MR |
38 | =item B<-help> |
39 | ||
40 | Print out a usage message. | |
41 | ||
e8769719 | 42 | =item B<-inform> B<DER>|B<PEM> |
ef7eaa4c DSH |
43 | |
44 | This specifies the input format. The B<DER> option uses an ASN1 DER encoded | |
45 | form compatible with the PKCS#3 DHparameter structure. The PEM form is the | |
46 | default format: it consists of the B<DER> format base64 encoded with | |
47 | additional header and footer lines. | |
48 | ||
e8769719 | 49 | =item B<-outform> B<DER>|B<PEM> |
ef7eaa4c | 50 | |
7477c83e TM |
51 | This specifies the output format, the options have the same meaning and default |
52 | as the B<-inform> option. | |
ef7eaa4c | 53 | |
41918458 | 54 | =item B<-in> I<filename> |
ef7eaa4c DSH |
55 | |
56 | This specifies the input filename to read parameters from or standard input if | |
57 | this option is not specified. | |
58 | ||
41918458 | 59 | =item B<-out> I<filename> |
ef7eaa4c DSH |
60 | |
61 | This specifies the output filename parameters to. Standard output is used | |
62 | if this option is not present. The output filename should B<not> be the same | |
63 | as the input filename. | |
64 | ||
41918458 BM |
65 | =item B<-dsaparam> |
66 | ||
67 | If this option is used, DSA rather than DH parameters are read or created; | |
68 | they are converted to DH format. Otherwise, "strong" primes (such | |
69 | that (p-1)/2 is also prime) will be used for DH parameter generation. | |
70 | ||
71 | DH parameter generation with the B<-dsaparam> option is much faster, | |
72 | and the recommended exponent length is shorter, which makes DH key | |
73 | exchange more efficient. Beware that with such DSA-style DH | |
74 | parameters, a fresh DH key should be created for each use to | |
75 | avoid small-subgroup attacks that may be possible otherwise. | |
76 | ||
fc1d88f0 RS |
77 | =item B<-check> |
78 | ||
eeb21772 MC |
79 | Performs numerous checks to see if the supplied parameters are valid and |
80 | displays a warning if not. | |
fc1d88f0 | 81 | |
a38c878c | 82 | =item B<-2>, B<-3>, B<-5> |
09483c58 | 83 | |
a38c878c | 84 | The generator to use, either 2, 3 or 5. If present then the |
b5a379aa EK |
85 | input file is ignored and parameters are generated instead. If not |
86 | present but B<numbits> is present, parameters are generated with the | |
87 | default generator 2. | |
09483c58 | 88 | |
e8769719 | 89 | =item B<-rand> I<file...> |
09483c58 | 90 | |
c4de074e | 91 | A file or files containing random data used to seed the random number |
3ee1eac2 | 92 | generator. |
35ed393e | 93 | Multiple files can be specified separated by an OS-dependent character. |
b87ef946 | 94 | The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
a4cfd178 | 95 | all others. |
09483c58 | 96 | |
e8769719 | 97 | =item B<-writerand> I<file> |
3ee1eac2 RS |
98 | |
99 | Writes random data to the specified I<file> upon exit. | |
100 | This can be used with a subsequent B<-rand> flag. | |
101 | ||
41918458 | 102 | =item I<numbits> |
09483c58 | 103 | |
c4de074e | 104 | This option specifies that a parameter set should be generated of size |
b5a379aa EK |
105 | I<numbits>. It must be the last option. If this option is present then |
106 | the input file is ignored and parameters are generated instead. If | |
6de1fe90 | 107 | this option is not present but a generator (B<-2>, B<-3> or B<-5>) is |
b5a379aa | 108 | present, parameters are generated with a default length of 2048 bits. |
6de1fe90 | 109 | The minimim length is 512 bits. The maximum length is 10000 bits. |
09483c58 | 110 | |
ef7eaa4c DSH |
111 | =item B<-noout> |
112 | ||
c4de074e | 113 | This option inhibits the output of the encoded version of the parameters. |
ef7eaa4c DSH |
114 | |
115 | =item B<-text> | |
116 | ||
c4de074e | 117 | This option prints out the DH parameters in human readable form. |
ef7eaa4c DSH |
118 | |
119 | =item B<-C> | |
120 | ||
c4de074e | 121 | This option converts the parameters into C code. The parameters can then |
bbd86bf5 | 122 | be loaded by calling the get_dhNNNN() function. |
ef7eaa4c | 123 | |
e8769719 | 124 | =item B<-engine> I<id> |
bfa35550 | 125 | |
c4de074e | 126 | Specifying an engine (by its unique B<id> string) will cause B<dhparam> |
bfa35550 RL |
127 | to attempt to obtain a functional reference to the specified engine, |
128 | thus initialising it if needed. The engine will then be set as the default | |
129 | for all available algorithms. | |
130 | ||
ef7eaa4c DSH |
131 | =back |
132 | ||
09483c58 DSH |
133 | =head1 WARNINGS |
134 | ||
135 | The program B<dhparam> combines the functionality of the programs B<dh> and | |
b0700d2c | 136 | B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh> |
1bc74519 | 137 | programs are retained for now but may have different purposes in future |
09483c58 DSH |
138 | versions of OpenSSL. |
139 | ||
ef7eaa4c DSH |
140 | =head1 NOTES |
141 | ||
142 | PEM format DH parameters use the header and footer lines: | |
143 | ||
144 | -----BEGIN DH PARAMETERS----- | |
145 | -----END DH PARAMETERS----- | |
146 | ||
147 | OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 | |
148 | DH. | |
149 | ||
150 | This program manipulates DH parameters not keys. | |
151 | ||
152 | =head1 BUGS | |
153 | ||
ef7eaa4c DSH |
154 | There should be a way to generate and manipulate DH keys. |
155 | ||
156 | =head1 SEE ALSO | |
157 | ||
b6b66573 DMSP |
158 | L<openssl(1)>, |
159 | L<openssl-dsaparam(1)> | |
ef7eaa4c | 160 | |
e2f92610 RS |
161 | =head1 COPYRIGHT |
162 | ||
a38c878c | 163 | Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 164 | |
449040b4 | 165 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
166 | this file except in compliance with the License. You can obtain a copy |
167 | in the file LICENSE in the source distribution or at | |
168 | L<https://www.openssl.org/source/license.html>. | |
169 | ||
170 | =cut |