[patch] more TLS configuration options for nnrpd
christian mock
cm at tahina.priv.at
Mon Dec 1 21:49:29 UTC 2014
On Sun, Nov 23, 2014 at 02:10:26PM +0100, Julien ÉLIE wrote:
> Reading the OBJ_nid2obj(3) doc, I see that they #include
> <openssl/objects.h> when using OBJ_nid2sn(). Shouldn't we also add
> that include in tls.h when HAVE_SSL_ECC is set?
Right, we probably should.
> > The default is unset, which means an appropriate curve is
> > auto-selected (if your OpenSSL version supports it) or the NIST
> > P-256 curve is used.
>
> I see:
> SSL_CTX_set_tmp_ecdh(CTX,
> EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
>
> Are we sure NID_X9_62_prime256v1 always exists? Maybe in OpenSSL
> versions where SSL_CTX_set_ecdh_auto does not exist, this curve
> exists; so that's fine to call it without testing its existence.
It's a macro, so compilation would fail.
Assuming the macro is defined but the curve is somehow not supported
in openssl anyways, EC_KEY_new_by_curve_name would return NULL on
errors.
Now I can't find documentation on the return values of
SSL_CTX_set_tmp_ecdh, and apps/s_server.c in the openssl sources uses
it without error checking... let's try it and set the 2nd param to
NULL and see what happens. Nothing. That is, no crash, openssl
does disable ECDH support but seems to work fine otherwise.
So the question is: should we check for this unlikely case and output
a warning, or just ignore it?
cm.
--
rotfl. Wirkli, tuat ma lad her Doktor, oba fuer mi is a a ausfoil (downtime
eines Services, Herr Doktor, falls Sie die Sprache unserer Landesleute
nicht verstehen), wann a service offline geht und net nur daun, waun sie da
probella hintn nimma draht. -- Peter Vratny in aip
More information about the inn-workers
mailing list