Message214431
From the OpenSSL changelog:
*) Support for automatic EC temporary key parameter selection. If enabled
the most preferred EC parameters are automatically used instead of
hardcoded fixed parameters. Now a server just has to call:
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
support ECDH and use the most appropriate parameters.
[Steve Henson]
We could probably call this function automatically on SSL contexts, when possible.
Besides, Apache's mod_ssl has the following code:
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
#else
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
#endif
So perhaps we can also reuse the same fallback to "prime256v1" (which would allow prioritizing ECDH in the cipher string). |
|
Date |
User |
Action |
Args |
2014-03-22 02:34:31 | pitrou | set | recipients:
+ pitrou, christian.heimes, dstufft |
2014-03-22 02:34:31 | pitrou | set | messageid: <1395455671.92.0.144736574461.issue21015@psf.upfronthosting.co.za> |
2014-03-22 02:34:31 | pitrou | link | issue21015 messages |
2014-03-22 02:34:31 | pitrou | create | |
|