I am confused about TLS_DH_RSA_* ciphers because, for DH to work, the server certificate has to include a DH public key, but for server authentication the server certificate needs an RSA public key. Can an RSA certificate include both a DH public key and an RSA public key?
Can somebody help to explain how DH_RSA key exchange works?
Look at TLS 1.0 Section 7.4.2, DH_RSA means a DH certificate which itself is signed using RSA by a CA.
The server has a static (long term) DH keypair. The public is included in a certificate and signed by a CA using RSA.
In the handshake, the server sends the certificate which includes the server's static DH public, signed by CA using RSA.
The client verifies the cert chain using RSA like normal, generates an ephemeral DH keypair, performs DH computation against the server's static DH public, computes shared premaster secret. The client sends the client's ephemeral DH public in the ClientKeyExchange.
The server receives the ClientKeyExchange, performs a single DH computation, and computes the same shared premaster secret.
There is no asymmetric encryption or online asymmetric digital signature operation in the handshake - only the DH operation.
This is historic, right? You're not going to use it, right?
