------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1397
--- Comment #2 from Wolfgang Breyha <wbreyha@???> 2013-10-15 01:15:04 ---
:)
Meanwhile I found a statement in the dovecot mailinglist why most people use
secp384r1 as default instead of prime256v1.
/* For OpenSSL < 1.0.2, ECDH temporary key parameter selection must be
performed manually. Attempt to select the same curve as that used
in the server's private EC key file. Otherwise fall back to the
NIST P-384 (secp384r1) curve to be compliant with RFC 6460 when
AES-256 TLS cipher suites are in use. This fall back option does
however make Dovecot non-compliant with RFC 6460 which requires
curve NIST P-256 (prime256v1) be used when AES-128 TLS cipher
suites are in use. At least the non-compliance is in the form of
providing too much security rather than too little. */
That sounds reasonable for me. Maybe we should use secp384r1 as default, too?
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
