On Wed, Nov 26, 2014, Giuseppe D'Angelo wrote:

> Il 26/11/2014 12:03, Matt Caswell ha scritto:
> >Hmmmm....SS_CTX_set1_curves returns an error for me if I pass it that
> >curve that you mentioned.
> >
> >Can you share any code for exactly how you are calling it?
> 
> Heh, it's a bit complex as of now (you can find it in the patch
> linked to my first email, [1]), I'll try tearing down into a pure
> C/C++ example (also to exclude a silly mistake on my side)...
> 
> [1] 
> https://codereview.qt-project.org/#/c/94022/24/src/network/ssl/qsslcontext_openssl.cpp
> 
> 

Note that there is a different potential problem with the code there. You're
allowing the setting of a custom set of supported curves but hard coding a
single curve for the ECDH temporary key. You could end up with a set of
supported curves which doesn't include your temporary key: which will
effectively disable any ECDH ciphersuites.

I'd suggest you set auto parameters if the version is 1.0.2+ instead with:

SSL_CTX_set_ecdh_auto(ctx, 1);

Then the highest preference curve will be used for ECDH instead. For 1.0.1 or
earlier you'd still have to use the single curve.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to