On Sun, Jan 01, 2023 at 05:48:50AM +0000, admin--- via Exim-dev wrote:
> It is impossible to set a custom tls_eccurve if Exim is compiled against
> OpenSSL >= 3.0.0 due to a parenthesis error: The value of SSL_CTX_set1_groups
> rather than the comparison against 0 is assigned to rv, which subsequently
> fails at "return !rv;"
>
> https://github.com/Exim/exim/pull/89
For the record, in case anyone is reading this here and not just on the
bug tracker, nobody should be setting an explicit custom EC curve. The
interoperable setting is to enable curve negotiation, either with the
default set of curves (requires no code), or an explicit list:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/global/mail_params.h#L3345-L3376
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c#L670
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L303-L372
Where the above is just setup machinery for calling SSL_CTX_set1_curves()
with the desired list of curve ids:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L365
The relevant OpenSSL documentation is at:
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set1_curves.html
Mind you, things are a bit complicated with TLS 1.3, where ECDHE groups
and FFDHE groups are unified and always negotiated, and setting the
grouplist to just ECDHE groups will disable FFDHE.
This also means, now that I think about it, that the quoted Postfix code
perhaps needs a tweak to not inadvertently disable the TLS 1.3 FFDHE
groups (unless that's a feature).
--
Viktor.
