XCOM configssl.cnf key exchange for RSA or Diffie Hellman (DH)
search cancel

XCOM configssl.cnf key exchange for RSA or Diffie Hellman (DH)

book

Article ID: 26659

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Windows XCOM Data Transport - Linux PC

Issue/Introduction

RSA or Diffie Hellman (DH) can be used for the key exchange during the SSL handshake between XCOM machines. It is suggested to use RSA because it is more secure. RSA uses encryption to generate the key; DH does not use encryption, but uses the different sizes.

Resolution

The RSA/DH settings are located in these 2 sections of the XCOM config directory file configssl.cnf on the target/receive side of the XCOM server which acts as the SSL server in the SSL client/server handshake:
# Mandatory, YES/NO (if NO, DH will be used)
[RSAKEY]
RECEIVE_SIDE = NO

# Optional (for RSA NO, see above). If RSA NO and DH files empty,
#  then internal program tables will be used.
[DH]
DH_512_RECEIVE_SIDE  =
DH_1024_RECEIVE_SIDE =
DH_2048_RECEIVE_SIDE =
DH_4096_RECEIVE_SIDE =

1. By default DH is used as the key exchange and with no DH_*_RECEIVE_SIDE parameter set (set to blank or commented out), the default DH prime of 256 bits is used from the internal program tables.
There are also 4 files for DH primes, 512, 1024, 2048 and 4096 located in the config directory with respective names dh215.pem, dh1024.pem, dh2048.pem, and dh4096.pem
To use a different prime to the default replace the above 4 lines with these and uncomment the line corresponding to the required prime to be used:
# DH_512_RECEIVE_SIDE  = /opt/CA/XCOM/config/dh512.pem
# DH_1024_RECEIVE_SIDE = /opt/CA/XCOM/config/dh1024.pem
# DH_2048_RECEIVE_SIDE = /opt/CA/XCOM/config/dh2048.pem
# DH_4096_RECEIVE_SIDE = /opt/CA/XCOM/config/dh4096.pem

2. To use RSA key exchange instead of DH change the [RSAKEY] RECEIVE_SIDE parameter to YES i.e.
# Mandatory, YES/NO (if NO, DH will be used)
[RSAKEY]
RECEIVE_SIDE = YES

Additional Information

NOTE: XCOM uses its own CAPKI SSL libraries and not the system openssl libraries:
XCOM Data Transport for UNIX/Linux 11.6.1 > Reference > XCOM Parameters > List of Parameters > CAPKIHOME