]>
Commit | Line | Data |
---|---|---|
ef7eaa4c DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
3f2181e6 | 5 | openssl-dhparam, |
09483c58 | 6 | dhparam - DH parameter manipulation and generation |
ef7eaa4c DSH |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
41918458 | 10 | B<openssl dhparam> |
169394d4 | 11 | [B<-help>] |
ef7eaa4c DSH |
12 | [B<-inform DER|PEM>] |
13 | [B<-outform DER|PEM>] | |
41918458 BM |
14 | [B<-in> I<filename>] |
15 | [B<-out> I<filename>] | |
16 | [B<-dsaparam>] | |
fc1d88f0 | 17 | [B<-check>] |
ef7eaa4c DSH |
18 | [B<-noout>] |
19 | [B<-text>] | |
20 | [B<-C>] | |
09483c58 | 21 | [B<-2>] |
a38c878c | 22 | [B<-3>] |
09483c58 | 23 | [B<-5>] |
3ee1eac2 RS |
24 | [B<-rand file...>] |
25 | [B<-writerand file>] | |
bfa35550 | 26 | [B<-engine id>] |
41918458 | 27 | [I<numbits>] |
ef7eaa4c DSH |
28 | |
29 | =head1 DESCRIPTION | |
30 | ||
31 | This command is used to manipulate DH parameter files. | |
32 | ||
33 | =head1 OPTIONS | |
34 | ||
35 | =over 4 | |
36 | ||
169394d4 MR |
37 | =item B<-help> |
38 | ||
39 | Print out a usage message. | |
40 | ||
ef7eaa4c DSH |
41 | =item B<-inform DER|PEM> |
42 | ||
43 | This specifies the input format. The B<DER> option uses an ASN1 DER encoded | |
44 | form compatible with the PKCS#3 DHparameter structure. The PEM form is the | |
45 | default format: it consists of the B<DER> format base64 encoded with | |
46 | additional header and footer lines. | |
47 | ||
48 | =item B<-outform DER|PEM> | |
49 | ||
7477c83e TM |
50 | This specifies the output format, the options have the same meaning and default |
51 | as the B<-inform> option. | |
ef7eaa4c | 52 | |
41918458 | 53 | =item B<-in> I<filename> |
ef7eaa4c DSH |
54 | |
55 | This specifies the input filename to read parameters from or standard input if | |
56 | this option is not specified. | |
57 | ||
41918458 | 58 | =item B<-out> I<filename> |
ef7eaa4c DSH |
59 | |
60 | This specifies the output filename parameters to. Standard output is used | |
61 | if this option is not present. The output filename should B<not> be the same | |
62 | as the input filename. | |
63 | ||
41918458 BM |
64 | =item B<-dsaparam> |
65 | ||
66 | If this option is used, DSA rather than DH parameters are read or created; | |
67 | they are converted to DH format. Otherwise, "strong" primes (such | |
68 | that (p-1)/2 is also prime) will be used for DH parameter generation. | |
69 | ||
70 | DH parameter generation with the B<-dsaparam> option is much faster, | |
71 | and the recommended exponent length is shorter, which makes DH key | |
72 | exchange more efficient. Beware that with such DSA-style DH | |
73 | parameters, a fresh DH key should be created for each use to | |
74 | avoid small-subgroup attacks that may be possible otherwise. | |
75 | ||
fc1d88f0 RS |
76 | =item B<-check> |
77 | ||
eeb21772 MC |
78 | Performs numerous checks to see if the supplied parameters are valid and |
79 | displays a warning if not. | |
fc1d88f0 | 80 | |
a38c878c | 81 | =item B<-2>, B<-3>, B<-5> |
09483c58 | 82 | |
a38c878c | 83 | The generator to use, either 2, 3 or 5. If present then the |
b5a379aa EK |
84 | input file is ignored and parameters are generated instead. If not |
85 | present but B<numbits> is present, parameters are generated with the | |
86 | default generator 2. | |
09483c58 | 87 | |
3ee1eac2 | 88 | =item B<-rand file...> |
09483c58 | 89 | |
c4de074e | 90 | A file or files containing random data used to seed the random number |
3ee1eac2 | 91 | generator. |
35ed393e | 92 | Multiple files can be specified separated by an OS-dependent character. |
b87ef946 | 93 | The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
a4cfd178 | 94 | all others. |
09483c58 | 95 | |
3ee1eac2 RS |
96 | =item [B<-writerand file>] |
97 | ||
98 | Writes random data to the specified I<file> upon exit. | |
99 | This can be used with a subsequent B<-rand> flag. | |
100 | ||
41918458 | 101 | =item I<numbits> |
09483c58 | 102 | |
c4de074e | 103 | This option specifies that a parameter set should be generated of size |
b5a379aa EK |
104 | I<numbits>. It must be the last option. If this option is present then |
105 | the input file is ignored and parameters are generated instead. If | |
6de1fe90 | 106 | this option is not present but a generator (B<-2>, B<-3> or B<-5>) is |
b5a379aa | 107 | present, parameters are generated with a default length of 2048 bits. |
6de1fe90 | 108 | The minimim length is 512 bits. The maximum length is 10000 bits. |
09483c58 | 109 | |
ef7eaa4c DSH |
110 | =item B<-noout> |
111 | ||
c4de074e | 112 | This option inhibits the output of the encoded version of the parameters. |
ef7eaa4c DSH |
113 | |
114 | =item B<-text> | |
115 | ||
c4de074e | 116 | This option prints out the DH parameters in human readable form. |
ef7eaa4c DSH |
117 | |
118 | =item B<-C> | |
119 | ||
c4de074e | 120 | This option converts the parameters into C code. The parameters can then |
bbd86bf5 | 121 | be loaded by calling the get_dhNNNN() function. |
ef7eaa4c | 122 | |
bfa35550 RL |
123 | =item B<-engine id> |
124 | ||
c4de074e | 125 | Specifying an engine (by its unique B<id> string) will cause B<dhparam> |
bfa35550 RL |
126 | to attempt to obtain a functional reference to the specified engine, |
127 | thus initialising it if needed. The engine will then be set as the default | |
128 | for all available algorithms. | |
129 | ||
ef7eaa4c DSH |
130 | =back |
131 | ||
09483c58 DSH |
132 | =head1 WARNINGS |
133 | ||
134 | The program B<dhparam> combines the functionality of the programs B<dh> and | |
b0700d2c | 135 | B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh> |
1bc74519 | 136 | programs are retained for now but may have different purposes in future |
09483c58 DSH |
137 | versions of OpenSSL. |
138 | ||
ef7eaa4c DSH |
139 | =head1 NOTES |
140 | ||
141 | PEM format DH parameters use the header and footer lines: | |
142 | ||
143 | -----BEGIN DH PARAMETERS----- | |
144 | -----END DH PARAMETERS----- | |
145 | ||
146 | OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 | |
147 | DH. | |
148 | ||
149 | This program manipulates DH parameters not keys. | |
150 | ||
151 | =head1 BUGS | |
152 | ||
ef7eaa4c DSH |
153 | There should be a way to generate and manipulate DH keys. |
154 | ||
155 | =head1 SEE ALSO | |
156 | ||
9b86974e | 157 | L<dsaparam(1)> |
ef7eaa4c | 158 | |
e2f92610 RS |
159 | =head1 COPYRIGHT |
160 | ||
a38c878c | 161 | Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 162 | |
449040b4 | 163 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
164 | this file except in compliance with the License. You can obtain a copy |
165 | in the file LICENSE in the source distribution or at | |
166 | L<https://www.openssl.org/source/license.html>. | |
167 | ||
168 | =cut |