On Thu, Jan 10, 2008 at 07:30:05PM +0200, Sateesh Babu wrote:
> Hi,
>
> Could anyone point me to the usage (API, tutorial, documentation...)
> for Elliptical Curve Cryptography in OpenSSL? I could not find any
> references in the OpenSSL website for the same.
>
Support for ECC is by default disabled in the stable 0.9.8 release,
and is slated for production use with 0.9.9 which is not yet released.
Development snaphots of 0.9.9 are available for testing.
To enable EECDH on a TLSv1 server:
SSL_CTX *server_ctx
int nid;
EC_KEY *ecdh;
const char *curve;
/*
* Elliptic-Curve Diffie-Hellman parameters are either "named curves"
* from RFC 4492 section 5.1.1, or explicitly described curves over
* binary fields. OpenSSL only supports the "named curves", which provide
* maximum interoperability. The recommended curve for 128-bit work-factor
* key exchange is "prime256v1" a.k.a. "secp256r1" from Section 2.7 of
* http://www.secg.org/download/aid-386/sec2_final.pdf
*/
if ((nid = OBJ_sn2nid(curve)) == NID_undef) {
/* unknown curve */
return (0);
}
ERR_clear_error();
if ((ecdh = EC_KEY_new_by_curve_name(nid)) == 0
|| SSL_CTX_set_tmp_ecdh(server_ctx, ecdh) == 0) {
tls_print_errors();
return (0);
}
return (1);
To enable ECDSA certs, just configure an additional cert/key pair in
the server. You can configure up to 3 certficates, one RSA cert, one
DSA cert and one ECDSA cert. The code for adding more certs is the
same for RSA and DSA.
Which cipher-suite will actually be used by the client and server depends
on the client's and server's cipherlist, and whether the server takes
the client's preferences or asserts its own. Clearly both the client and
server need to support EC ciphers.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
