> On Aug 10, 2018, at 4:24 AM, admin--- via Exim-dev <exim-dev@???> wrote:
>
> Most uses should leave tls_eccurve at the default "auto". With a modern
> version of OpenSSL this will support the full set of curves known to the
> library.
>
> The use of accepting a list for tls_eccurve would be restricted to cases of
> "more than one, but not the full set". I'm not sure how common that need is.
If you do decide to support multiple specific curves, the appropriate
interface is SSL_CTX_set1_curves_list(3):
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set1_curves_list.html
int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list);
SSL_CTX_set1_curves_list() sets the supported curves for ctx to
string list. The string is a colon separated list of curve NIDs
or names, for example "P-521:P-384:P-256".
Note that there's no mention of support for spaces around the ":"
separators. Exim could, if this was considered sufficiently useful,
look for a colon in the parameter value, and if one were found,
call SSL_CTX_set1_curves_list(3) instead of:
int SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int onoff);
Not saying this is necessary, but it is an option with OpenSSL >= 1.0.2.
--
Viktor.
