I have taken the patch provided by Wolfgang and changed it slightly.
I moved the default setting from tls-openssl.c into globals.c. Now
the if tls_eccurve==NULL does something slightly different, but the
rest of Wolfang's code is unchanged. (It checks to see if errant code
left it NULL, which in my understanding can never happen, but this
checks for errors every way possible.)
The commit is available for viewing at
http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_ecdhe
. Please look it over and see if there is anything that you feel
should be done differently.
I'm aware of Phil's reservation with setting a default cipher.
Personally I would rather set it to secp384r1 (default to higher, but
standard encryption...the alternative is only trying to use it when
tls_eccurve is actually set). prime256v1 and secp384r1are both FIPS
compliant so it is in at least every RH/CentOS openssl package 1.0.0+.
Suse must be the same since they have incorporated the patch into
their more recent OS version. Debian/Ubuntu has a recent version of
openssl, so it's worth checking to see if this would work on that too.
...Todd
On Tue, Sep 30, 2014 at 5:32 AM, Todd Lyons <tlyons@???> wrote:
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug.
>
> http://bugs.exim.org/show_bug.cgi?id=1397
>
> Todd Lyons <tlyons@???> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> CC| |tlyons@???
>
>
>
>
> --- Comment #7 from Todd Lyons <tlyons@???> 2014-09-30 13:32:47 ---
> I see that Suse incorporates the ECDHE patch in their official release. I'm
> willing to merge this now. Has anybody uncovered more evidence or spoken with a
> knowledgeable crypto person to know whether one curve is better than the other
> to use?
>
>
> --
> Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine