Implement second step of RFC7919 in TLS 1.2 server
Before this commit, the logic for generating a temporary DH key for DHE
cipher suites is the following:
1) If dh_tmp_auto is set (see SSL_set_dh_auto), the SSL server
automatically selects a set of DH parameters (P and G) appropriate
for the security level of the cipher suite. The groups are taken from
IKE (RFC 2409 and RFC 3526).
2) Otherwise, if the user provided a pre-generated set of DH parameters
(SSL_set0_tmp_dh_pkey), those parameters are used.
3) Finally, if neither 1) or 2) are applicable, a callback function can
be set using SSL_set_tmp_dh_callback, which will be invoked to
generate the temporary DH parameters. From OpenSSL 3.0, this
functionality is deprecated.
4) Using the parameters from step 1-3, an ephemeral DH key is
generated. The parameters and the public key are sent to the client.
The logic above is updated by inserting an additional step, prior to
step 1:
0) If tls1_shared_group returns any shared known group between the
server and the client, the DH parameters associated with this group
are selected.
This is still compliant with RFC7919, as the server will already have
checked the Supported Groups extension during the ciphersuite selection
process (implemented in the previous commit).
Now, the tests need to be updated: By default, the TLS 1.2 server will
default to RFC7919 groups. To bypass this behavior, the supported groups
on the client side is set to "xorgroup", ensuring that the client does
not advertise any FFDHE group support and the server falls back to the
old logic.
An additional test is also added to ensure that the TLS 1.2 server does
select the right group if the client advertises any of the RFC7919
groups.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
projects / thirdparty / openssl.git / commit
