On Wed, Aug 22, 2012, Varma Dantuluri wrote: > Hi > > We are in the process of adding support for ECDSA-ECDHE cipher suites and > hence ECDSA certificates to our server. > > Right now, the server does the following: > > 1) Assign the ECDSA certificate to the SSL_CTX. > 2) Set the callback for ECDH parameter generation using > SSL_CTX_set_tmp_ecdh_callback. > > In ssl3_send_server_key_exchange, when this callback is called, the value > of 'keylength' parameter is always either 512 or 1024. Shouldnt 'keylength' > have the curve name or id in the case of ECDH? Are we doing something wrong > here? >
No, it's a limitation in some versions of OpenSSL. You basically have to pick a curve you think the peer will support, P-256 is usually a safe choice. If the peer doesn't support it then ECDHE will be disabled. You might as as well set the curve using SSL_CTX_set_tmp_ecdh instead of the callback. This is fixed in the development version of OpenSSL: for that you can just set it to automatically use the right curve based on client and server preferences. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
