[exim-dev] [Bug 1397] enable ECDH key exchange for OpenSSL >…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Wolfgang Breyha
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 1397] enable ECDH key exchange for OpenSSL >=1.0.0
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1397




--- Comment #2 from Wolfgang Breyha <wbreyha@???> 2013-10-15 01:15:04 ---
:)

Meanwhile I found a statement in the dovecot mailinglist why most people use
secp384r1 as default instead of prime256v1.

        /* For OpenSSL < 1.0.2, ECDH temporary key parameter selection must be
           performed manually. Attempt to select the same curve as that used
           in the server's private EC key file. Otherwise fall back to the
           NIST P-384 (secp384r1) curve to be compliant with RFC 6460 when
           AES-256 TLS cipher suites are in use. This fall back option does
           however make Dovecot non-compliant with RFC 6460 which requires
           curve NIST P-256 (prime256v1) be used when AES-128 TLS cipher
           suites are in use. At least the non-compliance is in the form of
           providing too much security rather than too little. */


That sounds reasonable for me. Maybe we should use secp384r1 as default, too?


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email