> On May 13, 2017, at 11:48 AM, Massimo G. <sberla81@xxxxxxxxxxx> wrote: > > Hi all, > my 'openssl version' is "1.0.2k-fips". > The SSL_CTX_set_tmp_ecdh_callback() function is not included in the API list (Documentation - Manpages for 1.0.2). > > 1) Shouldn't I use that function? You may, but SSL_CTX_set_ecdh_auto() is a better choice, since it picks the curve based on the client's list of supported curves. You can set the list of curves supported on your end via SSL_CTX_set1_curves() which takes a list of "nids". IIRC you should first check that all the "nids" are supported, before configuring the final list. Postfix setups the nid array, from a list of names as follows: while ((curve = mystrtok(&curves, CHARS_COMMA_SP)) != 0) { int nid = EC_curve_nist2nid(curve); if (nid == NID_undef) nid = OBJ_sn2nid(curve); if (nid == NID_undef) nid = OBJ_ln2nid(curve); if (nid == NID_undef) { msg_warn("ignoring unknown \"auto\" ECDHE curve \"%s\"", curve); continue; } /* * Validate the NID by trying it as the sole EC curve for a * throw-away SSL context. Silently skip unsupported code points. * This way, we can list X25519 and X448 as soon as the nids are * assigned, and before the supporting code is implemented. They'll * be silently skipped when not yet supported. */ if (SSL_CTX_set1_curves(tmpctx, &nid, 1) <= 0) { ++unknown; continue; } if (++n > space) { space *= 2; nids = myrealloc(nids, space * sizeof(int)); } nids[n - 1] = nid; } > 2) Why isn't it listed in the manpages? Someone has to contribute the manpage. > > 3) Should I refer to a different Manpages version? If so, why? The documentation is in better shape in 1.1.0 and continues to improve. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users