Re: SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On May 13, 2017, at 11:48 AM, Massimo G. <sberla81@xxxxxxxxxxx> wrote:
> 
> Hi all,
> my 'openssl version' is "1.0.2k-fips".
> The SSL_CTX_set_tmp_ecdh_callback() function is not included in the API list (Documentation - Manpages for 1.0.2).
> 
> 1) Shouldn't I use that function?

You may, but SSL_CTX_set_ecdh_auto() is a better choice, since it picks the
curve based on the client's list of supported curves.  You can set the list
of curves supported on your end via SSL_CTX_set1_curves() which takes a list
of "nids".  IIRC you should first check that all the "nids" are supported,
before configuring the final list.

Postfix setups the nid array, from a list of names as follows:

    while ((curve = mystrtok(&curves, CHARS_COMMA_SP)) != 0) {
        int     nid = EC_curve_nist2nid(curve);

        if (nid == NID_undef)
            nid = OBJ_sn2nid(curve);
        if (nid == NID_undef)
            nid = OBJ_ln2nid(curve);
        if (nid == NID_undef) {
            msg_warn("ignoring unknown \"auto\" ECDHE curve \"%s\"",
                     curve);
            continue;
        }

        /*
         * Validate the NID by trying it as the sole EC curve for a
         * throw-away SSL context.  Silently skip unsupported code points.
         * This way, we can list X25519 and X448 as soon as the nids are
         * assigned, and before the supporting code is implemented.  They'll
         * be silently skipped when not yet supported.
         */
        if (SSL_CTX_set1_curves(tmpctx, &nid, 1) <= 0) {
            ++unknown;
            continue;
        }
        if (++n > space) {
            space *= 2;
            nids = myrealloc(nids, space * sizeof(int));
        }   
        nids[n - 1] = nid;
    }

> 2) Why isn't it listed in the manpages?

Someone has to contribute the manpage.

> 
> 3) Should I refer to a different Manpages version? If so, why?

The documentation is in better shape in 1.1.0 and continues to
improve.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux