[exim-dev] [Bug 1397] enable ECDH key exchange for OpenSSL >…

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1397] enable ECDH key exchange for OpenSSL >=1.0.0
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1397




--- Comment #2 from Wolfgang Breyha <wbreyha@???> 2013-10-15 01:15:04 ---
:)

Meanwhile I found a statement in the dovecot mailinglist why most people use
secp384r1 as default instead of prime256v1.

        /* For OpenSSL < 1.0.2, ECDH temporary key parameter selection must be
           performed manually. Attempt to select the same curve as that used
           in the server's private EC key file. Otherwise fall back to the
           NIST P-384 (secp384r1) curve to be compliant with RFC 6460 when
           AES-256 TLS cipher suites are in use. This fall back option does
           however make Dovecot non-compliant with RFC 6460 which requires
           curve NIST P-256 (prime256v1) be used when AES-128 TLS cipher
           suites are in use. At least the non-compliance is in the form of
           providing too much security rather than too little. */


That sounds reasonable for me. Maybe we should use secp384r1 as default, too?


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email