Re: [exim-dev] [Bug 1397] enable ECDH key exchange for OpenS…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
New-Topics: Re: [exim-dev] [Bug 1397] enable ECDH key exchange for OpenSSL >=1.0.0
Subject: Re: [exim-dev] [Bug 1397] enable ECDH key exchange for OpenSSL >=1.0.0
On 30/09/14 19:16, Todd Lyons wrote:
> I have taken the patch provided by Wolfgang and changed it slightly.
> I moved the default setting from tls-openssl.c into globals.c. Now
> the if tls_eccurve==NULL does something slightly different, but the
> rest of Wolfang's code is unchanged. (It checks to see if errant code
> left it NULL, which in my understanding can never happen, but this
> checks for errors every way possible.)
>
> The commit is available for viewing at
> http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_ecdhe
> . Please look it over and see if there is anything that you feel
> should be done differently.
>
> I'm aware of Phil's reservation with setting a default cipher.
> Personally I would rather set it to secp384r1 (default to higher, but
> standard encryption...the alternative is only trying to use it when
> tls_eccurve is actually set). prime256v1 and secp384r1are both FIPS
> compliant so it is in at least every RH/CentOS openssl package 1.0.0+.
> Suse must be the same since they have incorporated the patch into
> their more recent OS version. Debian/Ubuntu has a recent version of
> openssl, so it's worth checking to see if this would work on that too.


Add this info to the change log? Also http://safecurves.cr.yp.to ?