1=pod 2 3=head1 NAME 4 5SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa - handle RSA keys for ephemeral key exchange 6 7=head1 SYNOPSIS 8 9 #include <openssl/ssl.h> 10 11 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 12 RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); 13 long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa); 14 long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx); 15 16 void SSL_set_tmp_rsa_callback(SSL_CTX *ctx, 17 RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); 18 long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa) 19 long SSL_need_tmp_rsa(SSL *ssl) 20 21 RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength); 22 23=head1 DESCRIPTION 24 25SSL_CTX_set_tmp_rsa_callback() sets the callback function for B<ctx> to be 26used when a temporary/ephemeral RSA key is required to B<tmp_rsa_callback>. 27The callback is inherited by all SSL objects newly created from B<ctx> 28with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected. 29 30SSL_CTX_set_tmp_rsa() sets the temporary/ephemeral RSA key to be used to be 31B<rsa>. The key is inherited by all SSL objects newly created from B<ctx> 32with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected. 33 34SSL_CTX_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed 35for RSA-based strength-limited 'exportable' ciphersuites because a RSA key 36with a keysize larger than 512 bits is installed. 37 38SSL_set_tmp_rsa_callback() sets the callback only for B<ssl>. 39 40SSL_set_tmp_rsa() sets the key only for B<ssl>. 41 42SSL_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed, 43for RSA-based strength-limited 'exportable' ciphersuites because a RSA key 44with a keysize larger than 512 bits is installed. 45 46These functions apply to SSL/TLS servers only. 47 48=head1 NOTES 49 50When using a cipher with RSA authentication, an ephemeral RSA key exchange 51can take place. In this case the session data are negotiated using the 52ephemeral/temporary RSA key and the RSA key supplied and certified 53by the certificate chain is only used for signing. 54 55Under previous export restrictions, ciphers with RSA keys shorter (512 bits) 56than the usual key length of 1024 bits were created. To use these ciphers 57with RSA keys of usual length, an ephemeral key exchange must be performed, 58as the normal (certified) key cannot be directly used. 59 60Using ephemeral RSA key exchange yields forward secrecy, as the connection 61can only be decrypted, when the RSA key is known. By generating a temporary 62RSA key inside the server application that is lost when the application 63is left, it becomes impossible for an attacker to decrypt past sessions, 64even if he gets hold of the normal (certified) RSA key, as this key was 65used for signing only. The downside is that creating a RSA key is 66computationally expensive. 67 68Additionally, the use of ephemeral RSA key exchange is only allowed in 69the TLS standard, when the RSA key can be used for signing only, that is 70for export ciphers. Using ephemeral RSA key exchange for other purposes 71violates the standard and can break interoperability with clients. 72It is therefore strongly recommended to not use ephemeral RSA key 73exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead 74in order to achieve forward secrecy (see 75L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). 76 77On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default 78and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of 79L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL 80standard. When ephemeral RSA key exchange is required for export ciphers, 81it will automatically be used without this option! 82 83An application may either directly specify the key or can supply the key via 84a callback function. The callback approach has the advantage, that the 85callback may generate the key only in case it is actually needed. As the 86generation of a RSA key is however costly, it will lead to a significant 87delay in the handshake procedure. Another advantage of the callback function 88is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA 89usage) while the explicit setting of the key is only useful for key size of 90512 bits to satisfy the export restricted ciphers and does give away key length 91if a longer key would be allowed. 92 93The B<tmp_rsa_callback> is called with the B<keylength> needed and 94the B<is_export> information. The B<is_export> flag is set, when the 95ephemeral RSA key exchange is performed with an export cipher. 96 97=head1 EXAMPLES 98 99Generate temporary RSA keys to prepare ephemeral RSA key exchange. As the 100generation of a RSA key costs a lot of computer time, they saved for later 101reuse. For demonstration purposes, two keys for 512 bits and 1024 bits 102respectively are generated. 103 104 ... 105 /* Set up ephemeral RSA stuff */ 106 RSA *rsa_512 = NULL; 107 RSA *rsa_1024 = NULL; 108 109 rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL); 110 if (rsa_512 == NULL) 111 evaluate_error_queue(); 112 113 rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL); 114 if (rsa_1024 == NULL) 115 evaluate_error_queue(); 116 117 ... 118 119 RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength) 120 { 121 RSA *rsa_tmp=NULL; 122 123 switch (keylength) { 124 case 512: 125 if (rsa_512) 126 rsa_tmp = rsa_512; 127 else { /* generate on the fly, should not happen in this example */ 128 rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL); 129 rsa_512 = rsa_tmp; /* Remember for later reuse */ 130 } 131 break; 132 case 1024: 133 if (rsa_1024) 134 rsa_tmp=rsa_1024; 135 else 136 should_not_happen_in_this_example(); 137 break; 138 default: 139 /* Generating a key on the fly is very costly, so use what is there */ 140 if (rsa_1024) 141 rsa_tmp=rsa_1024; 142 else 143 rsa_tmp=rsa_512; /* Use at least a shorter key */ 144 } 145 return(rsa_tmp); 146 } 147 148=head1 RETURN VALUES 149 150SSL_CTX_set_tmp_rsa_callback() and SSL_set_tmp_rsa_callback() do not return 151diagnostic output. 152 153SSL_CTX_set_tmp_rsa() and SSL_set_tmp_rsa() do return 1 on success and 0 154on failure. Check the error queue to find out the reason of failure. 155 156SSL_CTX_need_tmp_rsa() and SSL_need_tmp_rsa() return 1 if a temporary 157RSA key is needed and 0 otherwise. 158 159=head1 SEE ALSO 160 161L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>, 162L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, 163L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, 164L<SSL_new(3)|SSL_new(3)>, L<ciphers(1)|ciphers(1)> 165 166=cut 167