[patch] more TLS configuration options for nnrpd
Julien ÉLIE
julien at trigofacile.com
Sun Nov 23 13:10:26 UTC 2014
Hi Christian,
> In fact, I have got ECDH support implemented. I'll attach a patch that
> goes on top of the first one, and would very much like people to
> critique this and test it, because the OpenSSL docs are less than
> helpful and I had to resort to reverse engineer the apache source.
> Consider it experimental -- not "crashing your server", but "may be
> insecure".
I have been testing your patch for a few days, without any problem.
Thanks for it!
Reading the OBJ_nid2obj(3) doc, I see that they #include
<openssl/objects.h> when using OBJ_nid2sn(). Shouldn't we also add that
include in tls.h when HAVE_SSL_ECC is set?
> The default is unset, which means an appropriate curve is
> auto-selected (if your OpenSSL version supports it) or the NIST
> P-256 curve is used.
I see:
SSL_CTX_set_tmp_ecdh(CTX,
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
Are we sure NID_X9_62_prime256v1 always exists? Maybe in OpenSSL
versions where SSL_CTX_set_ecdh_auto does not exist, this curve exists;
so that's fine to call it without testing its existence.
--
Julien ÉLIE
« Ils ont refusé une offre de Normand ?!? » (Astérix)
More information about the inn-workers
mailing list