-For DH cipher suites to work, you have to run OpenSSL to
-create the DH file first:
+You can create the DH parameters by running the
+following command:
openssl dhparam -out certs/dh 2048
The DH parameters will usually be ignored in FIPS mode.
+If this file isn't specified, then OpenSSL will
+automatically set the correct DH parameters.
+
fragment_size:: Limit for size of EAP fragments.
# psk_identity = "test"
# psk_hexphrase = "036363823"
# psk_query = "%sql(select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}')"
- dh_file = ${certdir}/dh
+# dh_file = ${certdir}/dh
# fragment_size = 1024
ca_path = ${cadir}
cipher_list = "DEFAULT"
-dh_file::
+dh_file:: See xref:reference:raddb/mods-available/eap.adoc[mods-available/eap]
private_key_file = ${certdir}/rsa/server.key
}
ca_file = ${cadir}/rsa/ca.pem
- dh_file = ${certdir}/dh
+# dh_file = ${certdir}/dh
# random_file = /dev/urandom
fragment_size = 16384
# check_crl = yes
```
-For DH cipher suites to work, you have to
-run OpenSSL to create the DH file first:
+You can create the DH parameters by running the
+following command:
- openssl dhparam -out certs/dh 1024
+ openssl dhparam -out certs/dh 2048
+
+The DH parameters will usually be ignored in FIPS mode.
+
+If this file isn't specified, then OpenSSL will
+automatically set the correct DH parameters.
```
- dh_file = ${certdir}/dh
+# dh_file = ${certdir}/dh
```
# psk_query = "%sql(select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}')"
#
- # For DH cipher suites to work, you have to run OpenSSL to
- # create the DH file first:
+ # You can create the DH parameters by running the
+ # following command:
#
# openssl dhparam -out certs/dh 2048
#
# The DH parameters will usually be ignored in FIPS mode.
#
- dh_file = ${certdir}/dh
+ # If this file isn't specified, then OpenSSL will
+ # automatically set the correct DH parameters.
+ #
+# dh_file = ${certdir}/dh
#
# fragment_size:: Limit for size of EAP fragments.
ca_file = ${cadir}/rsa/ca.pem
#
- # dh_file::
+ # dh_file:: See `mods-available/eap`
#
- dh_file = ${certdir}/dh
+# dh_file = ${certdir}/dh
#
# random_file:: See the `eap` module for common configuration explanation.
ca_file = ${cadir}/ca.pem
#
- # For DH cipher suites to work, you have to
- # run OpenSSL to create the DH file first:
+ # You can create the DH parameters by running the
+ # following command:
#
- # openssl dhparam -out certs/dh 1024
+ # openssl dhparam -out certs/dh 2048
#
- dh_file = ${certdir}/dh
+ # The DH parameters will usually be ignored in FIPS mode.
+ #
+ # If this file isn't specified, then OpenSSL will
+ # automatically set the correct DH parameters.
+ #
+# dh_file = ${certdir}/dh
#
# If your system doesn't have /dev/urandom,
/*
* Load dh params
*/
- if (conf->dh_file && (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0)) goto error;
+ if (conf->dh_file) {
+ if (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0) goto error;
+ } else {
+ /*
+ * Tell OpenSSL to automatically set the DH
+ * parameters based on the the size of the key
+ * associated with the certificate, or for PSK,
+ * with the negotiated symmetric cipher key.
+ */
+ SSL_CTX_set_dh_auto(ctx, 1);
+ }
/*
* Setup session caching
projects / thirdparty / freeradius-server.git / commitdiff
