[exim-dev] [Bug 2954] tls_eccurve (>= OpenSSL 3.0.0) dysfunc…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2954] tls_eccurve (>= OpenSSL 3.0.0) dysfunctional
https://bugs.exim.org/show_bug.cgi?id=2954

--- Comment #2 from help@??? ---
It is technically impossible for it to be broken since 2015 because at that
time, there was no OpenSSL 3.0.0. Remember: Only the implementation for OpenSSL
3.0.0 is broken. All prior versions work just fine. In fact (if the git-blame
is anything to go by) this implementation was added on November 29 2021:

https://github.com/Exim/exim/blame/313dcd5968cd8a02995322fa771f4d56b9f15e49/src/src/tls-openssl.c#L808

Around March of this year or very shortly thereafter, Debian Bookworm will be
released. It uses OpenSSL 3.0.0 natively. Those users won't be able to
use/change tls_eccurve then.

Just to give some context for the importance of that option:

"tls_eccurve" is what "tls_dhparam" is in terms of elliptic cryptography. I am
not quite sure if "not well used" is an appropriate dismissal for such a
fundamentally important option. It defines the algorithm as well as the
strength of a Diffie-Hellman exchange under elliptic cryptography. Hence the
name "Elliptic Curve Diffie-Hellman Exchange" or short ECDHE.

Considering that TLS 1.3 primarily - but also generally the future of
cryptography - is based on elliptic curves, it is not only fundamentally
important but quite honestly a necessity.

I have tracked down the bug as well as provided a patch (it was a simple
parentheses error) that fixes the issue and tested it on Ubuntu 22.04 LTS Jammy
Jellyfish with > OpenSSL 3.0.0 successfully. See my github pull request.

For more information about elliptic cryptography:
https://www.youtube.com/watch?v=NF1pwjL9-DE

--
You are receiving this mail because:
You are on the CC list for the bug.