[patch] more TLS configuration options for nnrpd

Julien ÉLIE julien at trigofacile.com
Sun Nov 23 13:10:26 UTC 2014


Hi Christian,

> In fact, I have got ECDH support implemented. I'll attach a patch that
> goes on top of the first one, and would very much like people to
> critique this and test it, because the OpenSSL docs are less than
> helpful and I had to resort to reverse engineer the apache source.
> Consider it experimental -- not "crashing your server", but "may be
> insecure".

I have been testing your patch for a few days, without any problem.
Thanks for it!

Reading the OBJ_nid2obj(3) doc, I see that they #include 
<openssl/objects.h> when using OBJ_nid2sn().  Shouldn't we also add that 
include in tls.h when HAVE_SSL_ECC is set?



>    The default is unset, which means an appropriate curve is
>    auto-selected (if your OpenSSL version supports it) or the NIST
>    P-256 curve is used.

I see:
     SSL_CTX_set_tmp_ecdh(CTX,
         EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));

Are we sure NID_X9_62_prime256v1 always exists?  Maybe in OpenSSL 
versions where SSL_CTX_set_ecdh_auto does not exist, this curve exists; 
so that's fine to call it without testing its existence.

-- 
Julien ÉLIE

« Ils ont refusé une offre de Normand ?!? » (Astérix)


More information about the inn-workers mailing list