Re: [exim-dev] [Bug 2298] tls_eccurve does not accept multip…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: Jeremy Harris via Exim-dev
Subject: Re: [exim-dev] [Bug 2298] tls_eccurve does not accept multiple entries


> On Aug 10, 2018, at 4:24 AM, admin--- via Exim-dev <exim-dev@???> wrote:
>
> Most uses should leave tls_eccurve at the default "auto". With a modern
> version of OpenSSL this will support the full set of curves known to the
> library.
>
> The use of accepting a list for tls_eccurve would be restricted to cases of
> "more than one, but not the full set". I'm not sure how common that need is.


If you do decide to support multiple specific curves, the appropriate
interface is SSL_CTX_set1_curves_list(3):

    https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set1_curves_list.html


    int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list);


    SSL_CTX_set1_curves_list() sets the supported curves for ctx to
    string list.  The string is a colon separated list of curve NIDs
    or names, for example "P-521:P-384:P-256".


Note that there's no mention of support for spaces around the ":"
separators. Exim could, if this was considered sufficiently useful,
look for a colon in the parameter value, and if one were found,
call SSL_CTX_set1_curves_list(3) instead of:

    int SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int onoff);


Not saying this is necessary, but it is an option with OpenSSL >= 1.0.2.

-- 
    Viktor.